# Flog Txt Version 1 # Analyzer Version: 2.4.0 # Analyzer Build Date: Jul 24 2018 18:08:56 # Log Creation Date: 18.09.2018 12:19:11.573 Process: id = "1" image_name = "80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe" filename = "c:\\users\\eebsym5\\desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe" page_root = "0x7ea16380" os_pid = "0x9e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe\" " cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 136 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 137 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 138 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 139 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 140 start_va = 0x230000 end_va = 0x243fff entry_point = 0x230000 region_type = mapped_file name = "80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe" filename = "\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe" (normalized: "c:\\users\\eebsym5\\desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe") Region: id = 141 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 142 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 143 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 144 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 145 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 146 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 147 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 148 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 149 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 150 start_va = 0x1b0000 end_va = 0x216fff entry_point = 0x1b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 151 start_va = 0x71d30000 end_va = 0x71d41fff entry_point = 0x71d30000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 152 start_va = 0x753f0000 end_va = 0x753fbfff entry_point = 0x753f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 153 start_va = 0x75420000 end_va = 0x7553cfff entry_point = 0x75420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 154 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 155 start_va = 0x75830000 end_va = 0x76479fff entry_point = 0x75830000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 156 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 157 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 158 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 159 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 160 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 161 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 162 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 163 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 164 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 165 start_va = 0x70000 end_va = 0x7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 166 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 167 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 168 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 169 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 170 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 171 start_va = 0x320000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 172 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 173 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 174 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 175 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 176 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 177 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 178 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 179 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 180 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 181 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 182 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 183 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 184 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 185 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 186 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 187 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 188 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 189 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 190 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 191 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 192 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 193 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 194 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 195 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 196 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 197 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 198 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 199 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 200 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 201 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 202 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 203 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 204 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 205 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 206 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 207 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 218 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 219 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 220 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 221 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 222 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 223 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 224 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 225 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 226 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 227 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 228 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 229 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 230 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 231 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 232 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 233 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 234 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 235 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 236 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 237 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 238 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 239 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 240 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 241 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 242 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 243 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 244 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 245 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 246 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 247 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 248 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 249 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 250 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 251 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 252 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 253 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 254 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 255 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 256 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 257 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 258 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 259 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 260 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 261 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 262 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 263 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 264 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 271 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 272 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 273 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 274 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 275 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 276 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 277 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 278 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 279 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 280 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 281 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 282 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 283 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 284 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 285 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 286 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 287 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 288 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 289 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 290 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 291 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 292 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 293 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 294 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 295 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 296 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 297 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 298 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 299 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 300 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 301 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 302 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 303 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 304 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 305 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 306 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 307 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 308 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 309 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 310 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 311 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 312 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 313 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 314 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 315 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 316 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 317 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 318 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 319 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 320 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 321 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 322 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 323 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 324 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 325 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 326 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 327 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 328 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 329 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 330 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 331 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 332 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 333 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 334 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 335 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 336 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 337 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 338 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 339 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 340 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 341 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 342 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 343 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 344 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 345 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 346 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 347 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 348 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 349 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 350 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 351 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 352 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 353 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 354 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 355 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 356 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 357 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 358 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 359 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 360 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 361 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 362 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 363 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 364 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 365 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 366 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 367 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 368 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 369 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 370 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 371 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 372 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 373 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 374 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 375 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 376 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 377 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 378 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 379 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 380 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 381 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 382 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 383 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 384 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 385 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 386 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 387 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 388 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 389 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 390 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 391 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 392 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 393 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 394 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 395 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 396 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 397 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 398 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 399 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 400 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 401 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 402 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 403 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 404 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 405 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 406 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 407 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 408 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 409 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 410 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 411 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 412 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 413 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 414 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 415 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 416 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 417 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 418 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 419 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 420 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 421 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 422 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 423 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 424 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 425 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 426 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 427 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 428 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 429 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 430 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 431 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 432 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 433 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 434 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 435 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 436 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 437 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 438 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 439 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 440 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 441 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 442 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 443 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 444 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 445 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 446 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 447 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 448 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 449 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 450 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 451 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 452 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 453 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 454 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 455 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 456 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 457 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 458 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 459 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 460 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 461 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 462 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 463 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 464 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 465 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 466 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 467 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 468 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 469 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 470 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 471 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 472 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 473 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 474 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 475 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 476 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 477 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 493 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 494 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 495 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 496 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 497 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 501 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 502 start_va = 0x1130000 end_va = 0x153ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 503 start_va = 0x1540000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001540000" filename = "" Region: id = 504 start_va = 0x80000 end_va = 0x8efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 505 start_va = 0x60000 end_va = 0x6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 506 start_va = 0x1130000 end_va = 0x1230fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 515 start_va = 0x1240000 end_va = 0x150efff entry_point = 0x1240000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 516 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 521 start_va = 0x1510000 end_va = 0x154bfff entry_point = 0x1510000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 529 start_va = 0x1510000 end_va = 0x154bfff entry_point = 0x1510000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 530 start_va = 0x1510000 end_va = 0x154bfff entry_point = 0x1510000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 531 start_va = 0x1510000 end_va = 0x154bfff entry_point = 0x1510000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 532 start_va = 0x1510000 end_va = 0x154bfff entry_point = 0x1510000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 533 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 534 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 535 start_va = 0x1130000 end_va = 0x1230fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 536 start_va = 0x1130000 end_va = 0x1230fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 537 start_va = 0x1130000 end_va = 0x1230fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 538 start_va = 0x1130000 end_va = 0x1230fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Thread: id = 1 os_tid = 0x9e4 [0086.545] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afa84 | out: lpSystemTimeAsFileTime=0x1afa84*(dwLowDateTime=0xfd05ed50, dwHighDateTime=0x1d44f49)) [0086.545] GetCurrentThreadId () returned 0x9e4 [0086.545] GetCurrentProcessId () returned 0x9e0 [0086.545] QueryPerformanceCounter (in: lpPerformanceCount=0x1afa7c | out: lpPerformanceCount=0x1afa7c*=12879714401) returned 1 [0086.546] GetStartupInfoA (in: lpStartupInfo=0x1afa38 | out: lpStartupInfo=0x1afa38*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0086.546] GetModuleHandleA (lpModuleName=0x0) returned 0x230000 [0086.546] __set_app_type (_Type=0x2) [0086.546] __p__fmode () returned 0x76b331f4 [0086.546] __p__commode () returned 0x76b331fc [0086.547] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0086.547] _onexit (_Func=0x237a40) returned 0x237a40 [0086.547] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76910000 [0086.548] GetProcAddress (hModule=0x76910000, lpProcName="InitializeConditionVariable") returned 0x77289981 [0086.548] GetProcAddress (hModule=0x76910000, lpProcName="SleepConditionVariableCS") returned 0x769418be [0086.548] GetProcAddress (hModule=0x76910000, lpProcName="WakeAllConditionVariable") returned 0x772545a5 [0086.548] RtlInitializeConditionVariable (in: ConditionVariable=0x23f7e4 | out: ConditionVariable=0x23f7e4) [0086.548] _onexit (_Func=0x237fff) returned 0x237fff [0086.548] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x2315ea) returned 0x0 [0086.548] __getmainargs (in: _Argc=0x23f800, _Argv=0x23f808, _Env=0x23f804, _DoWildCard=0, _StartInfo=0x23f814 | out: _Argc=0x23f800, _Argv=0x23f808, _Env=0x23f804) returned 0 [0086.549] _onexit (_Func=0x239df0) returned 0x239df0 [0086.549] _onexit (_Func=0x239ea0) returned 0x239ea0 [0086.549] _onexit (_Func=0x239e90) returned 0x239e90 [0086.549] _onexit (_Func=0x239e20) returned 0x239e20 [0086.549] _onexit (_Func=0x239e30) returned 0x239e30 [0086.549] wcslen (_String="sqlserv.exe") returned 0xb [0086.550] wcslen (_String="oracle.exe") returned 0xa [0086.550] wcslen (_String="ntdbsmgr.exe") returned 0xc [0086.550] wcslen (_String="sqlservr.exe") returned 0xc [0086.550] wcslen (_String="sqlwriter.exe") returned 0xd [0086.550] wcslen (_String="MsDtsSrvr.exe") returned 0xd [0086.550] wcslen (_String="msmdsrv.exe") returned 0xb [0086.550] wcslen (_String="ReportingServecesService.exe") returned 0x1c [0086.550] wcslen (_String="fdhost.exe") returned 0xa [0086.550] wcslen (_String="fdlauncher.exe") returned 0xe [0086.552] _onexit (_Func=0x239dc3) returned 0x239dc3 [0086.552] wcslen (_String=".sql") returned 0x4 [0086.552] wcslen (_String=".mdf") returned 0x4 [0086.552] wcslen (_String=".txt") returned 0x4 [0086.552] wcslen (_String=".dbf") returned 0x4 [0086.552] wcslen (_String=".ckp") returned 0x4 [0086.552] wcslen (_String=".dacpac") returned 0x7 [0086.552] wcslen (_String=".db3") returned 0x4 [0086.552] wcslen (_String=".dtxs") returned 0x5 [0086.552] wcslen (_String=".mdt") returned 0x4 [0086.552] wcslen (_String=".sdf") returned 0x4 [0086.552] wcslen (_String=".MDF") returned 0x4 [0086.552] wcslen (_String=".DBF") returned 0x4 [0086.552] _onexit (_Func=0x239daa) returned 0x239daa [0086.553] wcslen (_String="C:\\Program Files (x86)\\Microsoft SQL Server\\") returned 0x2c [0086.553] wcslen (_String="C:\\Program Files\\Microsoft SQL Server\\") returned 0x26 [0086.553] _onexit (_Func=0x239ddc) returned 0x239ddc [0086.553] wcslen (_String="Windows") returned 0x7 [0086.553] wcslen (_String="windows") returned 0x7 [0086.553] wcslen (_String="Program files") returned 0xd [0086.553] wcslen (_String="Program files (x86)") returned 0x13 [0086.553] wcslen (_String="system volume information") returned 0x19 [0086.553] wcslen (_String="$recycle.bin") returned 0xc [0086.553] _onexit (_Func=0x239d91) returned 0x239d91 [0086.553] wcslen (_String=".[rmail@rmail.cc].rmaile") returned 0x18 [0086.554] _onexit (_Func=0x239d9b) returned 0x239d9b [0086.554] strlen (_Str="Hi !\nIid-3003${CODE}\n\n") returned 0x16 [0086.554] _onexit (_Func=0x239dcd) returned 0x239dcd [0086.554] _onexit (_Func=0x239db4) returned 0x239db4 [0086.556] WinExec (lpCmdLine="vssadmin delete shadows /all /quiet", uCmdShow=0x0) returned 0x21 [0086.676] GetCommandLineW () returned="\"C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe\" " [0086.676] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe\" ", pNumArgs=0x1afa0c | out: pNumArgs=0x1afa0c) returned 0x44a7f8*="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe" [0086.676] _time64 (in: _Time=0x0 | out: _Time=0x0) returned 0x5ba0ed8d [0086.676] srand (_Seed=0x5ba0ed8d) [0086.676] ??_U@YAPAXI@Z () returned 0x7d060 [0086.676] rand () returned 29956 [0086.676] rand () returned 8989 [0086.676] rand () returned 26873 [0086.676] rand () returned 10783 [0086.676] rand () returned 25837 [0086.676] rand () returned 22133 [0086.676] rand () returned 1528 [0086.676] rand () returned 27982 [0086.676] rand () returned 3870 [0086.676] rand () returned 13801 [0086.676] rand () returned 8643 [0086.676] rand () returned 28341 [0086.676] rand () returned 717 [0086.677] rand () returned 4200 [0086.677] rand () returned 6623 [0086.677] rand () returned 30423 [0086.677] rand () returned 840 [0086.677] rand () returned 1434 [0086.677] rand () returned 4770 [0086.677] rand () returned 20159 [0086.677] rand () returned 21302 [0086.677] rand () returned 13334 [0086.677] rand () returned 15512 [0086.677] rand () returned 32733 [0086.677] rand () returned 17696 [0086.677] rand () returned 6102 [0086.677] rand () returned 2342 [0086.677] rand () returned 17936 [0086.677] rand () returned 13616 [0086.677] rand () returned 11495 [0086.677] rand () returned 4717 [0086.677] rand () returned 26628 [0086.677] strlen (_Str="5a4166757164644a704841363935594e7a4f5463445a5030563132536838386e") returned 0x40 [0086.677] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x70 [0086.684] Process32FirstW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.685] wcslen (_String="[System Process]") returned 0x10 [0086.685] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0086.686] wcslen (_String="System") returned 0x6 [0086.686] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0086.686] wcslen (_String="smss.exe") returned 0x8 [0086.687] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.687] wcslen (_String="csrss.exe") returned 0x9 [0086.687] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0086.688] wcslen (_String="wininit.exe") returned 0xb [0086.688] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.689] wcslen (_String="csrss.exe") returned 0x9 [0086.689] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0086.690] wcslen (_String="winlogon.exe") returned 0xc [0086.690] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0086.691] wcslen (_String="services.exe") returned 0xc [0086.691] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0086.692] wcslen (_String="lsass.exe") returned 0x9 [0086.692] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0086.693] wcslen (_String="lsm.exe") returned 0x7 [0086.693] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.694] wcslen (_String="svchost.exe") returned 0xb [0086.694] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.695] wcslen (_String="svchost.exe") returned 0xb [0086.695] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.695] wcslen (_String="svchost.exe") returned 0xb [0086.695] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.697] wcslen (_String="svchost.exe") returned 0xb [0086.697] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.697] wcslen (_String="svchost.exe") returned 0xb [0086.697] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0086.698] wcslen (_String="audiodg.exe") returned 0xb [0086.698] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.699] wcslen (_String="svchost.exe") returned 0xb [0086.699] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.699] wcslen (_String="svchost.exe") returned 0xb [0086.699] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0086.700] wcslen (_String="spoolsv.exe") returned 0xb [0086.700] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.701] wcslen (_String="svchost.exe") returned 0xb [0086.701] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.701] wcslen (_String="taskhost.exe") returned 0xc [0086.701] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0086.702] wcslen (_String="taskeng.exe") returned 0xb [0086.702] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0086.703] wcslen (_String="dwm.exe") returned 0x7 [0086.703] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0086.704] wcslen (_String="explorer.exe") returned 0xc [0086.704] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.705] wcslen (_String="svchost.exe") returned 0xb [0086.705] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.706] wcslen (_String="taskhost.exe") returned 0xc [0086.706] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="increased.exe")) returned 1 [0086.707] wcslen (_String="increased.exe") returned 0xd [0086.707] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x300, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="placingregistrar.exe")) returned 1 [0086.709] wcslen (_String="placingregistrar.exe") returned 0x14 [0086.709] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals.exe")) returned 1 [0086.710] wcslen (_String="manuals.exe") returned 0xb [0086.710] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x758, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ran.exe")) returned 1 [0086.711] wcslen (_String="ran.exe") returned 0x7 [0086.711] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="crisis.exe")) returned 1 [0086.826] wcslen (_String="crisis.exe") returned 0xa [0086.826] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbitration.exe")) returned 1 [0086.827] wcslen (_String="arbitration.exe") returned 0xf [0086.827] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="roommate_nd.exe")) returned 1 [0086.828] wcslen (_String="roommate_nd.exe") returned 0xf [0086.828] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="livecamtree.exe")) returned 1 [0086.829] wcslen (_String="livecamtree.exe") returned 0xf [0086.829] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="adams specialties air.exe")) returned 1 [0086.830] wcslen (_String="adams specialties air.exe") returned 0x19 [0086.830] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="philip.exe")) returned 1 [0086.831] wcslen (_String="philip.exe") returned 0xa [0086.831] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="knowledge-mold.exe")) returned 1 [0086.832] wcslen (_String="knowledge-mold.exe") returned 0x12 [0086.833] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="since.exe")) returned 1 [0086.834] wcslen (_String="since.exe") returned 0x9 [0086.834] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="opera.exe")) returned 1 [0086.834] wcslen (_String="opera.exe") returned 0x9 [0086.834] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="lecture worker art.exe")) returned 1 [0086.835] wcslen (_String="lecture worker art.exe") returned 0x16 [0086.835] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="raw-reprint.exe")) returned 1 [0086.836] wcslen (_String="raw-reprint.exe") returned 0xf [0086.836] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="scripting commodities.exe")) returned 1 [0086.837] wcslen (_String="scripting commodities.exe") returned 0x19 [0086.837] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="trans-mpeg.exe")) returned 1 [0086.839] wcslen (_String="trans-mpeg.exe") returned 0xe [0086.839] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x868, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="suppliers_false.exe")) returned 1 [0086.840] wcslen (_String="suppliers_false.exe") returned 0x13 [0086.840] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="denmarkship.exe")) returned 1 [0086.841] wcslen (_String="denmarkship.exe") returned 0xf [0086.841] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0086.842] wcslen (_String="dllhost.exe") returned 0xb [0086.842] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0086.843] wcslen (_String="dllhost.exe") returned 0xb [0086.843] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe")) returned 1 [0086.843] wcslen (_String="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe") returned 0x44 [0086.843] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0086.844] wcslen (_String="vssadmin.exe") returned 0xc [0086.844] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0086.845] CloseHandle (hObject=0x70) returned 1 [0086.845] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x64 [0086.850] Process32FirstW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.851] wcslen (_String="[System Process]") returned 0x10 [0086.851] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0086.851] wcslen (_String="System") returned 0x6 [0086.851] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0086.852] wcslen (_String="smss.exe") returned 0x8 [0086.852] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.853] wcslen (_String="csrss.exe") returned 0x9 [0086.853] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0086.854] wcslen (_String="wininit.exe") returned 0xb [0086.854] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.854] wcslen (_String="csrss.exe") returned 0x9 [0086.854] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0086.855] wcslen (_String="winlogon.exe") returned 0xc [0086.855] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0086.856] wcslen (_String="services.exe") returned 0xc [0086.856] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0086.856] wcslen (_String="lsass.exe") returned 0x9 [0086.856] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0086.857] wcslen (_String="lsm.exe") returned 0x7 [0086.857] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.858] wcslen (_String="svchost.exe") returned 0xb [0086.858] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.858] wcslen (_String="svchost.exe") returned 0xb [0086.858] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.859] wcslen (_String="svchost.exe") returned 0xb [0086.859] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.860] wcslen (_String="svchost.exe") returned 0xb [0086.860] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.861] wcslen (_String="svchost.exe") returned 0xb [0086.861] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0086.862] wcslen (_String="audiodg.exe") returned 0xb [0086.862] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.862] wcslen (_String="svchost.exe") returned 0xb [0086.862] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.863] wcslen (_String="svchost.exe") returned 0xb [0086.863] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0086.864] wcslen (_String="spoolsv.exe") returned 0xb [0086.864] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.864] wcslen (_String="svchost.exe") returned 0xb [0086.864] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.865] wcslen (_String="taskhost.exe") returned 0xc [0086.865] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0086.866] wcslen (_String="taskeng.exe") returned 0xb [0086.866] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0086.867] wcslen (_String="dwm.exe") returned 0x7 [0086.867] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0086.878] wcslen (_String="explorer.exe") returned 0xc [0086.878] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.879] wcslen (_String="svchost.exe") returned 0xb [0086.879] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.880] wcslen (_String="taskhost.exe") returned 0xc [0086.880] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="increased.exe")) returned 1 [0086.881] wcslen (_String="increased.exe") returned 0xd [0086.881] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x300, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="placingregistrar.exe")) returned 1 [0086.882] wcslen (_String="placingregistrar.exe") returned 0x14 [0086.882] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals.exe")) returned 1 [0086.883] wcslen (_String="manuals.exe") returned 0xb [0086.883] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x758, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ran.exe")) returned 1 [0086.884] wcslen (_String="ran.exe") returned 0x7 [0086.884] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="crisis.exe")) returned 1 [0086.885] wcslen (_String="crisis.exe") returned 0xa [0086.885] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbitration.exe")) returned 1 [0086.886] wcslen (_String="arbitration.exe") returned 0xf [0086.886] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="roommate_nd.exe")) returned 1 [0086.887] wcslen (_String="roommate_nd.exe") returned 0xf [0086.887] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="livecamtree.exe")) returned 1 [0086.888] wcslen (_String="livecamtree.exe") returned 0xf [0086.889] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="adams specialties air.exe")) returned 1 [0086.890] wcslen (_String="adams specialties air.exe") returned 0x19 [0086.890] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="philip.exe")) returned 1 [0086.891] wcslen (_String="philip.exe") returned 0xa [0086.891] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="knowledge-mold.exe")) returned 1 [0086.892] wcslen (_String="knowledge-mold.exe") returned 0x12 [0086.892] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="since.exe")) returned 1 [0086.893] wcslen (_String="since.exe") returned 0x9 [0086.893] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="opera.exe")) returned 1 [0086.894] wcslen (_String="opera.exe") returned 0x9 [0086.894] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="lecture worker art.exe")) returned 1 [0086.895] wcslen (_String="lecture worker art.exe") returned 0x16 [0086.895] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="raw-reprint.exe")) returned 1 [0086.896] wcslen (_String="raw-reprint.exe") returned 0xf [0086.896] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="scripting commodities.exe")) returned 1 [0086.897] wcslen (_String="scripting commodities.exe") returned 0x19 [0086.897] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="trans-mpeg.exe")) returned 1 [0086.898] wcslen (_String="trans-mpeg.exe") returned 0xe [0086.898] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x868, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="suppliers_false.exe")) returned 1 [0086.900] wcslen (_String="suppliers_false.exe") returned 0x13 [0086.900] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="denmarkship.exe")) returned 1 [0086.901] wcslen (_String="denmarkship.exe") returned 0xf [0086.901] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0086.902] wcslen (_String="dllhost.exe") returned 0xb [0086.902] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0086.903] wcslen (_String="dllhost.exe") returned 0xb [0086.903] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe")) returned 1 [0086.903] wcslen (_String="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe") returned 0x44 [0086.904] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0086.904] wcslen (_String="vssadmin.exe") returned 0xc [0086.904] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0086.905] CloseHandle (hObject=0x64) returned 1 [0086.905] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x70 [0086.910] Process32FirstW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.911] wcslen (_String="[System Process]") returned 0x10 [0086.911] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0086.911] wcslen (_String="System") returned 0x6 [0086.911] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0086.912] wcslen (_String="smss.exe") returned 0x8 [0086.912] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.913] wcslen (_String="csrss.exe") returned 0x9 [0086.913] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0086.913] wcslen (_String="wininit.exe") returned 0xb [0086.914] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.914] wcslen (_String="csrss.exe") returned 0x9 [0086.914] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0086.920] wcslen (_String="winlogon.exe") returned 0xc [0086.920] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0086.921] wcslen (_String="services.exe") returned 0xc [0086.921] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0086.922] wcslen (_String="lsass.exe") returned 0x9 [0086.922] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0086.922] wcslen (_String="lsm.exe") returned 0x7 [0086.923] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.923] wcslen (_String="svchost.exe") returned 0xb [0086.923] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.924] wcslen (_String="svchost.exe") returned 0xb [0086.924] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.925] wcslen (_String="svchost.exe") returned 0xb [0086.925] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.926] wcslen (_String="svchost.exe") returned 0xb [0086.926] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.927] wcslen (_String="svchost.exe") returned 0xb [0086.927] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0086.927] wcslen (_String="audiodg.exe") returned 0xb [0086.927] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.928] wcslen (_String="svchost.exe") returned 0xb [0086.928] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.929] wcslen (_String="svchost.exe") returned 0xb [0086.929] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0086.929] wcslen (_String="spoolsv.exe") returned 0xb [0086.929] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.930] wcslen (_String="svchost.exe") returned 0xb [0086.930] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.931] wcslen (_String="taskhost.exe") returned 0xc [0086.931] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0086.932] wcslen (_String="taskeng.exe") returned 0xb [0086.932] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0086.933] wcslen (_String="dwm.exe") returned 0x7 [0086.933] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0086.934] wcslen (_String="explorer.exe") returned 0xc [0086.934] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.935] wcslen (_String="svchost.exe") returned 0xb [0086.935] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.936] wcslen (_String="taskhost.exe") returned 0xc [0086.936] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="increased.exe")) returned 1 [0086.937] wcslen (_String="increased.exe") returned 0xd [0086.937] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x300, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="placingregistrar.exe")) returned 1 [0086.938] wcslen (_String="placingregistrar.exe") returned 0x14 [0086.938] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals.exe")) returned 1 [0086.939] wcslen (_String="manuals.exe") returned 0xb [0086.939] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x758, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ran.exe")) returned 1 [0086.940] wcslen (_String="ran.exe") returned 0x7 [0086.940] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="crisis.exe")) returned 1 [0086.941] wcslen (_String="crisis.exe") returned 0xa [0086.941] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbitration.exe")) returned 1 [0086.943] wcslen (_String="arbitration.exe") returned 0xf [0086.943] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="roommate_nd.exe")) returned 1 [0086.944] wcslen (_String="roommate_nd.exe") returned 0xf [0086.944] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="livecamtree.exe")) returned 1 [0086.945] wcslen (_String="livecamtree.exe") returned 0xf [0086.945] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="adams specialties air.exe")) returned 1 [0086.946] wcslen (_String="adams specialties air.exe") returned 0x19 [0086.946] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="philip.exe")) returned 1 [0086.947] wcslen (_String="philip.exe") returned 0xa [0086.947] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="knowledge-mold.exe")) returned 1 [0086.948] wcslen (_String="knowledge-mold.exe") returned 0x12 [0086.948] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="since.exe")) returned 1 [0086.949] wcslen (_String="since.exe") returned 0x9 [0086.949] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="opera.exe")) returned 1 [0086.950] wcslen (_String="opera.exe") returned 0x9 [0086.950] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="lecture worker art.exe")) returned 1 [0086.951] wcslen (_String="lecture worker art.exe") returned 0x16 [0086.951] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="raw-reprint.exe")) returned 1 [0086.952] wcslen (_String="raw-reprint.exe") returned 0xf [0086.952] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="scripting commodities.exe")) returned 1 [0086.953] wcslen (_String="scripting commodities.exe") returned 0x19 [0086.953] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="trans-mpeg.exe")) returned 1 [0086.954] wcslen (_String="trans-mpeg.exe") returned 0xe [0086.954] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x868, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="suppliers_false.exe")) returned 1 [0086.955] wcslen (_String="suppliers_false.exe") returned 0x13 [0086.955] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="denmarkship.exe")) returned 1 [0086.956] wcslen (_String="denmarkship.exe") returned 0xf [0086.956] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0086.957] wcslen (_String="dllhost.exe") returned 0xb [0086.957] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0086.958] wcslen (_String="dllhost.exe") returned 0xb [0086.958] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe")) returned 1 [0086.959] wcslen (_String="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe") returned 0x44 [0086.959] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0086.960] wcslen (_String="vssadmin.exe") returned 0xc [0086.960] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0086.961] wcslen (_String="conhost.exe") returned 0xb [0086.961] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0086.962] CloseHandle (hObject=0x70) returned 1 [0086.962] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x64 [0086.966] Process32FirstW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.967] wcslen (_String="[System Process]") returned 0x10 [0086.967] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0086.968] wcslen (_String="System") returned 0x6 [0086.968] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0086.969] wcslen (_String="smss.exe") returned 0x8 [0086.969] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.969] wcslen (_String="csrss.exe") returned 0x9 [0086.969] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0086.970] wcslen (_String="wininit.exe") returned 0xb [0086.970] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.971] wcslen (_String="csrss.exe") returned 0x9 [0086.971] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0086.971] wcslen (_String="winlogon.exe") returned 0xc [0086.971] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0086.972] wcslen (_String="services.exe") returned 0xc [0086.972] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0086.973] wcslen (_String="lsass.exe") returned 0x9 [0086.973] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0086.973] wcslen (_String="lsm.exe") returned 0x7 [0086.973] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.974] wcslen (_String="svchost.exe") returned 0xb [0086.974] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.975] wcslen (_String="svchost.exe") returned 0xb [0086.975] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.975] wcslen (_String="svchost.exe") returned 0xb [0086.975] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.976] wcslen (_String="svchost.exe") returned 0xb [0086.976] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.977] wcslen (_String="svchost.exe") returned 0xb [0086.977] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0086.977] wcslen (_String="audiodg.exe") returned 0xb [0086.977] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.978] wcslen (_String="svchost.exe") returned 0xb [0086.978] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.979] wcslen (_String="svchost.exe") returned 0xb [0086.979] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0086.979] wcslen (_String="spoolsv.exe") returned 0xb [0086.979] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.980] wcslen (_String="svchost.exe") returned 0xb [0086.980] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.981] wcslen (_String="taskhost.exe") returned 0xc [0086.981] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0086.981] wcslen (_String="taskeng.exe") returned 0xb [0086.981] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0086.982] wcslen (_String="dwm.exe") returned 0x7 [0086.982] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0086.983] wcslen (_String="explorer.exe") returned 0xc [0086.983] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.985] wcslen (_String="svchost.exe") returned 0xb [0086.985] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.986] wcslen (_String="taskhost.exe") returned 0xc [0086.986] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="increased.exe")) returned 1 [0086.987] wcslen (_String="increased.exe") returned 0xd [0086.987] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x300, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="placingregistrar.exe")) returned 1 [0086.988] wcslen (_String="placingregistrar.exe") returned 0x14 [0086.988] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals.exe")) returned 1 [0086.989] wcslen (_String="manuals.exe") returned 0xb [0086.989] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x758, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ran.exe")) returned 1 [0086.991] wcslen (_String="ran.exe") returned 0x7 [0086.991] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="crisis.exe")) returned 1 [0086.992] wcslen (_String="crisis.exe") returned 0xa [0086.992] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbitration.exe")) returned 1 [0086.993] wcslen (_String="arbitration.exe") returned 0xf [0086.993] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="roommate_nd.exe")) returned 1 [0086.994] wcslen (_String="roommate_nd.exe") returned 0xf [0086.994] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="livecamtree.exe")) returned 1 [0086.995] wcslen (_String="livecamtree.exe") returned 0xf [0086.995] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="adams specialties air.exe")) returned 1 [0086.996] wcslen (_String="adams specialties air.exe") returned 0x19 [0086.996] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="philip.exe")) returned 1 [0086.997] wcslen (_String="philip.exe") returned 0xa [0086.997] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="knowledge-mold.exe")) returned 1 [0086.998] wcslen (_String="knowledge-mold.exe") returned 0x12 [0086.998] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="since.exe")) returned 1 [0086.999] wcslen (_String="since.exe") returned 0x9 [0086.999] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="opera.exe")) returned 1 [0087.000] wcslen (_String="opera.exe") returned 0x9 [0087.000] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="lecture worker art.exe")) returned 1 [0087.001] wcslen (_String="lecture worker art.exe") returned 0x16 [0087.001] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="raw-reprint.exe")) returned 1 [0087.002] wcslen (_String="raw-reprint.exe") returned 0xf [0087.002] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="scripting commodities.exe")) returned 1 [0087.003] wcslen (_String="scripting commodities.exe") returned 0x19 [0087.003] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="trans-mpeg.exe")) returned 1 [0087.004] wcslen (_String="trans-mpeg.exe") returned 0xe [0087.004] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x868, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="suppliers_false.exe")) returned 1 [0087.005] wcslen (_String="suppliers_false.exe") returned 0x13 [0087.005] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="denmarkship.exe")) returned 1 [0087.006] wcslen (_String="denmarkship.exe") returned 0xf [0087.006] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0087.007] wcslen (_String="dllhost.exe") returned 0xb [0087.007] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0087.010] wcslen (_String="dllhost.exe") returned 0xb [0087.010] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe")) returned 1 [0087.011] wcslen (_String="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe") returned 0x44 [0087.011] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0087.012] wcslen (_String="vssadmin.exe") returned 0xc [0087.012] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0087.013] wcslen (_String="conhost.exe") returned 0xb [0087.013] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0087.014] CloseHandle (hObject=0x64) returned 1 [0087.014] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x70 [0087.019] Process32FirstW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0087.020] wcslen (_String="[System Process]") returned 0x10 [0087.020] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0087.021] wcslen (_String="System") returned 0x6 [0087.021] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0087.022] wcslen (_String="smss.exe") returned 0x8 [0087.022] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0087.023] wcslen (_String="csrss.exe") returned 0x9 [0087.023] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0087.023] wcslen (_String="wininit.exe") returned 0xb [0087.023] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0087.024] wcslen (_String="csrss.exe") returned 0x9 [0087.024] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0087.025] wcslen (_String="winlogon.exe") returned 0xc [0087.025] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0087.026] wcslen (_String="services.exe") returned 0xc [0087.026] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0087.026] wcslen (_String="lsass.exe") returned 0x9 [0087.026] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0087.027] wcslen (_String="lsm.exe") returned 0x7 [0087.027] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.028] wcslen (_String="svchost.exe") returned 0xb [0087.028] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.028] wcslen (_String="svchost.exe") returned 0xb [0087.028] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.029] wcslen (_String="svchost.exe") returned 0xb [0087.029] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.030] wcslen (_String="svchost.exe") returned 0xb [0087.030] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.031] wcslen (_String="svchost.exe") returned 0xb [0087.031] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0087.031] wcslen (_String="audiodg.exe") returned 0xb [0087.031] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.032] wcslen (_String="svchost.exe") returned 0xb [0087.032] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x43c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.033] wcslen (_String="svchost.exe") returned 0xb [0087.033] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0087.033] wcslen (_String="spoolsv.exe") returned 0xb [0087.033] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.034] wcslen (_String="svchost.exe") returned 0xb [0087.034] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0087.035] wcslen (_String="taskhost.exe") returned 0xc [0087.035] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x358, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0087.035] wcslen (_String="taskeng.exe") returned 0xb [0087.035] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x330, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0087.036] wcslen (_String="dwm.exe") returned 0x7 [0087.036] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0087.038] wcslen (_String="explorer.exe") returned 0xc [0087.038] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0087.039] wcslen (_String="svchost.exe") returned 0xb [0087.039] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0087.040] wcslen (_String="taskhost.exe") returned 0xc [0087.040] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="increased.exe")) returned 1 [0087.042] wcslen (_String="increased.exe") returned 0xd [0087.042] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x300, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="placingregistrar.exe")) returned 1 [0087.043] wcslen (_String="placingregistrar.exe") returned 0x14 [0087.043] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="manuals.exe")) returned 1 [0087.044] wcslen (_String="manuals.exe") returned 0xb [0087.044] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x758, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="ran.exe")) returned 1 [0087.045] wcslen (_String="ran.exe") returned 0x7 [0087.045] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="crisis.exe")) returned 1 [0087.047] wcslen (_String="crisis.exe") returned 0xa [0087.047] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="arbitration.exe")) returned 1 [0087.048] wcslen (_String="arbitration.exe") returned 0xf [0087.048] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x354, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="roommate_nd.exe")) returned 1 [0087.050] wcslen (_String="roommate_nd.exe") returned 0xf [0087.050] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x504, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="livecamtree.exe")) returned 1 [0087.051] wcslen (_String="livecamtree.exe") returned 0xf [0087.051] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="adams specialties air.exe")) returned 1 [0087.053] wcslen (_String="adams specialties air.exe") returned 0x19 [0087.053] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="philip.exe")) returned 1 [0087.054] wcslen (_String="philip.exe") returned 0xa [0087.054] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="knowledge-mold.exe")) returned 1 [0087.058] wcslen (_String="knowledge-mold.exe") returned 0x12 [0087.058] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="since.exe")) returned 1 [0087.060] wcslen (_String="since.exe") returned 0x9 [0087.060] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x814, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="opera.exe")) returned 1 [0087.061] wcslen (_String="opera.exe") returned 0x9 [0087.061] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="lecture worker art.exe")) returned 1 [0087.062] wcslen (_String="lecture worker art.exe") returned 0x16 [0087.062] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="raw-reprint.exe")) returned 1 [0087.063] wcslen (_String="raw-reprint.exe") returned 0xf [0087.063] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="scripting commodities.exe")) returned 1 [0087.064] wcslen (_String="scripting commodities.exe") returned 0x19 [0087.064] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="trans-mpeg.exe")) returned 1 [0087.066] wcslen (_String="trans-mpeg.exe") returned 0xe [0087.066] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x868, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="suppliers_false.exe")) returned 1 [0087.067] wcslen (_String="suppliers_false.exe") returned 0x13 [0087.067] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x878, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="denmarkship.exe")) returned 1 [0087.069] wcslen (_String="denmarkship.exe") returned 0xf [0087.069] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x99c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0087.071] wcslen (_String="dllhost.exe") returned 0xb [0087.071] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0087.072] wcslen (_String="dllhost.exe") returned 0xb [0087.072] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x5ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe")) returned 1 [0087.073] wcslen (_String="80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe") returned 0x44 [0087.073] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0087.075] wcslen (_String="vssadmin.exe") returned 0xc [0087.075] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0087.076] wcslen (_String="conhost.exe") returned 0xb [0087.076] Process32NextW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0087.077] CloseHandle (hObject=0x70) returned 1 [0087.077] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x64 [0087.083] Process32FirstW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0087.084] wcslen (_String="[System Process]") returned 0x10 [0087.084] Process32NextW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0087.140] CloseHandle (hObject=0x64) returned 1 [0087.140] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x70 [0087.148] Process32FirstW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0087.230] CloseHandle (hObject=0x70) returned 1 [0087.231] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x64 [0087.238] Process32FirstW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.866] CloseHandle (hObject=0x64) returned 1 [0088.867] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x70 [0088.872] Process32FirstW (in: hSnapshot=0x70, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0088.934] CloseHandle (hObject=0x70) returned 1 [0088.934] CreateToolhelp32Snapshot (dwFlags=0xf, th32ProcessID=0x0) returned 0x64 [0088.943] Process32FirstW (in: hSnapshot=0x64, lppe=0x1af6c4 | out: lppe=0x1af6c4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0089.007] CloseHandle (hObject=0x64) returned 1 [0089.007] GetLogicalDrives () returned 0x4 [0089.007] wcslen (_String=":\\") returned 0x2 [0089.007] wcslen (_String="C:\\Program Files (x86)\\Microsoft SQL Server\\") returned 0x2c [0089.008] wcscpy_s (in: _Destination=0x1af760, _SizeInWords=0x104, _Source="C:\\Program Files (x86)\\Microsoft SQL Server\\" | out: _Destination="C:\\Program Files (x86)\\Microsoft SQL Server\\") returned 0x0 [0089.100] wcscat (in: _Dest=0x1af760, _Source="\\*" | out: _Dest="C:\\Program Files (x86)\\Microsoft SQL Server\\\\*") returned="C:\\Program Files (x86)\\Microsoft SQL Server\\\\*" [0089.100] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Microsoft SQL Server\\\\*", lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 0xffffffff [0089.100] wcslen (_String="C:\\Program Files\\Microsoft SQL Server\\") returned 0x26 [0089.101] wcscpy_s (in: _Destination=0x1af760, _SizeInWords=0x104, _Source="C:\\Program Files\\Microsoft SQL Server\\" | out: _Destination="C:\\Program Files\\Microsoft SQL Server\\") returned 0x0 [0089.101] wcscat (in: _Dest=0x1af760, _Source="\\*" | out: _Dest="C:\\Program Files\\Microsoft SQL Server\\\\*") returned="C:\\Program Files\\Microsoft SQL Server\\\\*" [0089.101] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft SQL Server\\\\*", lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 0xffffffff [0089.101] wcslen (_String="C:\\") returned 0x3 [0089.101] wcscpy_s (in: _Destination=0x1af760, _SizeInWords=0x104, _Source="C:\\" | out: _Destination="C:\\") returned 0x0 [0089.101] wcscat (in: _Dest=0x1af760, _Source="\\*" | out: _Dest="C:\\\\*") returned="C:\\\\*" [0089.101] FindFirstFileW (in: lpFileName="C:\\\\*", lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 0x44aa38 [0089.102] wcsstr (_Str="$Recycle.Bin", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0089.102] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin") returned 16 [0089.102] wcscmp (_String1=".", _String2="$Recycle.Bin") returned 1 [0089.102] wcscmp (_String1="..", _String2="$Recycle.Bin") returned 1 [0089.102] wcslen (_String="C:\\\\$Recycle.Bin") returned 0x10 [0089.102] wcscpy_s (in: _Destination=0x1af2a4, _SizeInWords=0x104, _Source="C:\\\\$Recycle.Bin" | out: _Destination="C:\\\\$Recycle.Bin") returned 0x0 [0089.102] wcscat (in: _Dest=0x1af2a4, _Source="\\*" | out: _Dest="C:\\\\$Recycle.Bin\\*") returned="C:\\\\$Recycle.Bin\\*" [0089.102] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\*", lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0x44aa78 [0089.102] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0089.102] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\.") returned 18 [0089.102] wcscmp (_String1=".", _String2=".") returned 0 [0089.102] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0089.102] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0089.102] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\..") returned 19 [0089.102] wcscmp (_String1=".", _String2="..") returned -1 [0089.102] wcscmp (_String1="..", _String2="..") returned 0 [0089.103] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0089.103] wcsstr (_Str="S-1-5-21-3785418085-2572485238-895829336-1000", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0089.103] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000") returned 62 [0089.103] wcscmp (_String1=".", _String2="S-1-5-21-3785418085-2572485238-895829336-1000") returned -1 [0089.103] wcscmp (_String1="..", _String2="S-1-5-21-3785418085-2572485238-895829336-1000") returned -1 [0089.103] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000") returned 0x3e [0089.103] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000" | out: _Destination="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000") returned 0x0 [0089.103] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\*") returned="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\*" [0089.103] FindFirstFileW (in: lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0089.104] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0089.104] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\.") returned 64 [0089.104] wcscmp (_String1=".", _String2=".") returned 0 [0089.104] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0089.104] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0089.104] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\..") returned 65 [0089.104] wcscmp (_String1=".", _String2="..") returned -1 [0089.104] wcscmp (_String1="..", _String2="..") returned 0 [0089.104] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0089.104] wcsstr (_Str="desktop.ini", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0089.104] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini") returned 74 [0089.105] wcscmp (_String1="desktop.ini", _String2="!=How_recovery_files=!.txt") returned 1 [0089.105] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="desktop.ini") returned 0x0 [0089.105] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini") returned 0x4a [0089.105] CreateFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x6c [0089.106] ??_U@YAPAXI@Z () returned 0x1130020 [0089.106] ReadFile (in: hFile=0x6c, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1aead4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1aead4*=0x81, lpOverlapped=0x0) returned 1 [0089.119] SetFilePointer (in: hFile=0x6c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0089.119] WriteFile (in: hFile=0x6c, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x1aead4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1aead4*=0x90, lpOverlapped=0x0) returned 1 [0089.120] CloseHandle (hObject=0x6c) returned 1 [0089.121] strlen (_Str="-----BEGIN PUBLIC KEY-----\nMIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBusgwY85Du6IVeFp+/Bjko\nowu9jvhAMEN5SBcyLe/1iH9zozxD/YCCs2hrs22/vJYKcL7uYn31cQ81BMj1PABt\nO/qhPOgiDkAiOT60Fxy/YrPVoQrdtv5FX9Us9bAEc1B3dvint1izl85HUPhnnN4h\nUpDdDss/uymIBXgVgODF6GU9nj7Uab9tqU3l2Oyq1Bb5dj/uJrSQ7ZXPaWNZPvh1\nnOyqto96OsrGpc7fRqWBcer4JRJCvZ6p8VyqMnkZFCa4qtZay002AmXchCi1R+gZ\nzP09YPcJrMIpGxmGRgbWCI1T+IVWxLMh95msG9iSs9H1GI0taWA0CCFYxPxv8Zkj\nAgMBAAE=\n-----END PUBLIC KEY-----") returned 0x1c2 [0089.121] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\nMIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBusgwY85Du6IVeFp+/Bjko\nowu9jvhAMEN5SBcyLe/1iH9zozxD/YCCs2hrs22/vJYKcL7uYn31cQ81BMj1PABt\nO/qhPOgiDkAiOT60Fxy/YrPVoQrdtv5FX9Us9bAEc1B3dvint1izl85HUPhnnN4h\nUpDdDss/uymIBXgVgODF6GU9nj7Uab9tqU3l2Oyq1Bb5dj/uJrSQ7ZXPaWNZPvh1\nnOyqto96OsrGpc7fRqWBcer4JRJCvZ6p8VyqMnkZFCa4qtZay002AmXchCi1R+gZ\nzP09YPcJrMIpGxmGRgbWCI1T+IVWxLMh95msG9iSs9H1GI0taWA0CCFYxPxv8Zkj\nAgMBAAE=\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x1ad990, pcbBinary=0x1ad984, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1ad990, pcbBinary=0x1ad984, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0089.147] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x1ad990, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x1ad978, pcbStructInfo=0x1ad970 | out: pvStructInfo=0x1ad978, pcbStructInfo=0x1ad970) returned 1 [0089.355] CryptAcquireContextW (in: phProv=0x1ad980, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x1ad980*=0x44a908) returned 1 [0090.165] CryptImportPublicKeyInfo (in: hCryptProv=0x44a908, dwCertEncodingType=0x1, pInfo=0x44d9f0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x44da20*, PublicKey.cbData=0x10d, PublicKey.pbData=0x44da28*, PublicKey.cUnusedBits=0x0), phKey=0x1ad988 | out: phKey=0x1ad988*=0x44a990) returned 1 [0090.166] CryptEncrypt (in: hKey=0x44a990, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x1ad98c*=0x20, dwBufLen=0x20 | out: pbData=0x0*, pdwDataLen=0x1ad98c*=0x100) returned 1 [0090.166] ??_U@YAPAXI@Z () returned 0x7e168 [0090.166] CryptEncrypt (in: hKey=0x44a990, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x7e168*, pdwDataLen=0x1ad97c*=0x20, dwBufLen=0x100 | out: pbData=0x7e168*, pdwDataLen=0x1ad97c*=0x100) returned 1 [0090.167] setlocale (category=0, locale=0x0) returned="C" [0090.167] setlocale (category=0, locale="C") returned="C" [0090.167] ___lc_codepage_func () returned 0x0 [0090.167] calloc (_Count=0x100, _Size=0x2) returned 0x7e770 [0090.168] __pctype_func () returned 0x76a91b48 [0090.168] ___lc_handle_func () returned 0x7e69c [0090.168] setlocale (category=0, locale="C") returned="C" [0090.168] _wfsopen (_FileName="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini", _Mode="a", _ShFlag=64) returned 0x76b32960 [0090.168] setlocale (category=0, locale=0x0) returned="C" [0090.168] setlocale (category=0, locale="C") returned="C" [0090.168] setlocale (category=0, locale="C") returned="C" [0090.209] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0090.209] __uncaught_exception () returned 0x70700 [0090.209] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.210] MoveFileW (lpExistingFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini"), lpNewFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini.[rmail@rmail.cc].rmaile" (normalized: "c:\\$recycle.bin\\s-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini.[rmail@rmail.cc].rmaile")) returned 1 [0090.211] ??_V@YAXPAX@Z () returned 0x1 [0090.228] SetFileAttributesW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini", dwFileAttributes=0x0) returned 0 [0090.228] DeleteFileW (lpFileName="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3785418085-2572485238-895829336-1000\\desktop.ini")) returned 0 [0090.228] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.228] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.228] wcslen (_String="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000") returned 0x3e [0090.228] strlen (_Str="${KEY}") returned 0x6 [0090.228] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0090.228] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0090.228] strlen (_Str="${CODE}") returned 0x7 [0090.228] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0090.228] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.228] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.228] _wfsopen (_FileName="C:\\\\$Recycle.Bin\\S-1-5-21-3785418085-2572485238-895829336-1000\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.230] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.230] __uncaught_exception () returned 0x70700 [0090.230] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.232] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0 [0090.232] FindClose (in: hFindFile=0x44aa78 | out: hFindFile=0x44aa78) returned 1 [0090.232] wcslen (_String="C:\\\\$Recycle.Bin") returned 0x10 [0090.232] strlen (_Str="${KEY}") returned 0x6 [0090.232] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0090.232] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0090.232] strlen (_Str="${CODE}") returned 0x7 [0090.232] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0090.232] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.232] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.232] _wfsopen (_FileName="C:\\\\$Recycle.Bin\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.233] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.233] __uncaught_exception () returned 0x70700 [0090.233] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.234] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0090.234] wcsstr (_Str="autoexec.bat", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.234] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\autoexec.bat") returned 16 [0090.234] wcscmp (_String1="autoexec.bat", _String2="!=How_recovery_files=!.txt") returned 1 [0090.234] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="autoexec.bat") returned 0x0 [0090.234] wcslen (_String="C:\\\\autoexec.bat") returned 0x10 [0090.234] CreateFileW (lpFileName="C:\\\\autoexec.bat" (normalized: "c:\\autoexec.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x68 [0090.236] ??_U@YAPAXI@Z () returned 0x1130020 [0090.236] ReadFile (in: hFile=0x68, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1af44c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1af44c*=0x18, lpOverlapped=0x0) returned 1 [0090.249] SetFilePointer (in: hFile=0x68, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.249] WriteFile (in: hFile=0x68, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1af44c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1af44c*=0x20, lpOverlapped=0x0) returned 1 [0090.249] CloseHandle (hObject=0x68) returned 1 [0090.250] _wfsopen (_FileName="C:\\\\autoexec.bat", _Mode="a", _ShFlag=64) returned 0x76b32960 [0090.250] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0090.250] __uncaught_exception () returned 0x70700 [0090.250] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.251] MoveFileW (lpExistingFileName="C:\\\\autoexec.bat" (normalized: "c:\\autoexec.bat"), lpNewFileName="C:\\\\autoexec.bat.[rmail@rmail.cc].rmaile" (normalized: "c:\\autoexec.bat.[rmail@rmail.cc].rmaile")) returned 1 [0090.252] ??_V@YAXPAX@Z () returned 0x1 [0090.272] SetFileAttributesW (lpFileName="C:\\\\autoexec.bat", dwFileAttributes=0x0) returned 0 [0090.273] DeleteFileW (lpFileName="C:\\\\autoexec.bat" (normalized: "c:\\autoexec.bat")) returned 0 [0090.273] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0090.273] wcsstr (_Str="Boot", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.273] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot") returned 8 [0090.273] wcscmp (_String1=".", _String2="Boot") returned -1 [0090.273] wcscmp (_String1="..", _String2="Boot") returned -1 [0090.273] wcslen (_String="C:\\\\Boot") returned 0x8 [0090.273] wcscpy_s (in: _Destination=0x1af2a4, _SizeInWords=0x104, _Source="C:\\\\Boot" | out: _Destination="C:\\\\Boot") returned 0x0 [0090.273] wcscat (in: _Dest=0x1af2a4, _Source="\\*" | out: _Dest="C:\\\\Boot\\*") returned="C:\\\\Boot\\*" [0090.273] FindFirstFileW (in: lpFileName="C:\\\\Boot\\*", lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0x44aa78 [0090.273] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.273] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\.") returned 10 [0090.273] wcscmp (_String1=".", _String2=".") returned 0 [0090.273] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.273] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.273] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\..") returned 11 [0090.273] wcscmp (_String1=".", _String2="..") returned -1 [0090.273] wcscmp (_String1="..", _String2="..") returned 0 [0090.273] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.273] wcsstr (_Str="BCD", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.274] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BCD") returned 12 [0090.274] wcscmp (_String1="BCD", _String2="!=How_recovery_files=!.txt") returned 1 [0090.274] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="BCD") returned 0x0 [0090.274] wcslen (_String="C:\\\\Boot\\BCD") returned 0xc [0090.274] CreateFileW (lpFileName="C:\\\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.274] GetLastError () returned 0x20 [0090.274] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.274] wcsstr (_Str="BCD.LOG", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.274] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BCD.LOG") returned 16 [0090.274] wcscmp (_String1="BCD.LOG", _String2="!=How_recovery_files=!.txt") returned 1 [0090.274] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="BCD.LOG") returned 0x0 [0090.274] wcslen (_String="C:\\\\Boot\\BCD.LOG") returned 0x10 [0090.274] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.274] GetLastError () returned 0x20 [0090.274] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.274] wcsstr (_Str="BCD.LOG1", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.274] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BCD.LOG1") returned 17 [0090.275] wcscmp (_String1="BCD.LOG1", _String2="!=How_recovery_files=!.txt") returned 1 [0090.275] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="BCD.LOG1") returned 0x0 [0090.275] wcslen (_String="C:\\\\Boot\\BCD.LOG1") returned 0x11 [0090.275] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x70 [0090.275] ??_U@YAPAXI@Z () returned 0x1130020 [0090.276] ReadFile (in: hFile=0x70, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1aef90, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1aef90*=0x0, lpOverlapped=0x0) returned 1 [0090.287] CloseHandle (hObject=0x70) returned 1 [0090.287] MoveFileW (lpExistingFileName="C:\\\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\\\Boot\\BCD.LOG1.[rmail@rmail.cc].rmaile" (normalized: "c:\\boot\\bcd.log1.[rmail@rmail.cc].rmaile")) returned 1 [0090.288] ??_V@YAXPAX@Z () returned 0x1 [0090.294] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG1", dwFileAttributes=0x0) returned 0 [0090.294] DeleteFileW (lpFileName="C:\\\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1")) returned 0 [0090.294] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.294] wcsstr (_Str="BCD.LOG2", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.294] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BCD.LOG2") returned 17 [0090.294] wcscmp (_String1="BCD.LOG2", _String2="!=How_recovery_files=!.txt") returned 1 [0090.294] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="BCD.LOG2") returned 0x0 [0090.294] wcslen (_String="C:\\\\Boot\\BCD.LOG2") returned 0x11 [0090.294] CreateFileW (lpFileName="C:\\\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x70 [0090.295] ??_U@YAPAXI@Z () returned 0x1130020 [0090.295] ReadFile (in: hFile=0x70, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1aef90, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1aef90*=0x0, lpOverlapped=0x0) returned 1 [0090.308] CloseHandle (hObject=0x70) returned 1 [0090.308] MoveFileW (lpExistingFileName="C:\\\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\\\Boot\\BCD.LOG2.[rmail@rmail.cc].rmaile" (normalized: "c:\\boot\\bcd.log2.[rmail@rmail.cc].rmaile")) returned 1 [0090.309] ??_V@YAXPAX@Z () returned 0x1 [0090.316] SetFileAttributesW (lpFileName="C:\\\\Boot\\BCD.LOG2", dwFileAttributes=0x0) returned 0 [0090.319] DeleteFileW (lpFileName="C:\\\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2")) returned 0 [0090.321] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.321] wcsstr (_Str="BOOTSTAT.DAT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.321] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\BOOTSTAT.DAT") returned 21 [0090.321] wcscmp (_String1="BOOTSTAT.DAT", _String2="!=How_recovery_files=!.txt") returned 1 [0090.321] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="BOOTSTAT.DAT") returned 0x0 [0090.321] wcslen (_String="C:\\\\Boot\\BOOTSTAT.DAT") returned 0x15 [0090.322] CreateFileW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x70 [0090.322] ??_U@YAPAXI@Z () returned 0x1130020 [0090.322] ReadFile (in: hFile=0x70, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1aef90, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1aef90*=0x10000, lpOverlapped=0x0) returned 1 [0090.345] SetFilePointer (in: hFile=0x70, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.345] WriteFile (in: hFile=0x70, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x1aef90, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1aef90*=0x10010, lpOverlapped=0x0) returned 1 [0090.346] CloseHandle (hObject=0x70) returned 1 [0090.348] _wfsopen (_FileName="C:\\\\Boot\\BOOTSTAT.DAT", _Mode="a", _ShFlag=64) returned 0x76b32960 [0090.348] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0090.348] __uncaught_exception () returned 0x70700 [0090.348] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.350] MoveFileW (lpExistingFileName="C:\\\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\\\Boot\\BOOTSTAT.DAT.[rmail@rmail.cc].rmaile" (normalized: "c:\\boot\\bootstat.dat.[rmail@rmail.cc].rmaile")) returned 1 [0090.350] ??_V@YAXPAX@Z () returned 0x1 [0090.358] SetFileAttributesW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT", dwFileAttributes=0x0) returned 0 [0090.358] DeleteFileW (lpFileName="C:\\\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0 [0090.358] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.358] wcsstr (_Str="cs-CZ", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.359] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ") returned 14 [0090.359] wcscmp (_String1=".", _String2="cs-CZ") returned -1 [0090.359] wcscmp (_String1="..", _String2="cs-CZ") returned -1 [0090.359] wcslen (_String="C:\\\\Boot\\cs-CZ") returned 0xe [0090.359] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\Boot\\cs-CZ" | out: _Destination="C:\\\\Boot\\cs-CZ") returned 0x0 [0090.359] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\cs-CZ\\*") returned="C:\\\\Boot\\cs-CZ\\*" [0090.359] FindFirstFileW (in: lpFileName="C:\\\\Boot\\cs-CZ\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.360] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.360] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ\\.") returned 16 [0090.360] wcscmp (_String1=".", _String2=".") returned 0 [0090.360] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.360] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.360] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ\\..") returned 17 [0090.360] wcscmp (_String1=".", _String2="..") returned -1 [0090.360] wcscmp (_String1="..", _String2="..") returned 0 [0090.360] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.360] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.361] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 30 [0090.361] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.361] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.361] wcslen (_String="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 0x1e [0090.361] CreateFileW (lpFileName="C:\\\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.363] GetLastError () returned 0x5 [0090.363] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.363] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.363] wcslen (_String="C:\\\\Boot\\cs-CZ") returned 0xe [0090.363] strlen (_Str="${KEY}") returned 0x6 [0090.363] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.363] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.363] strlen (_Str="${CODE}") returned 0x7 [0090.363] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.363] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.363] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.363] _wfsopen (_FileName="C:\\\\Boot\\cs-CZ\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.367] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.367] __uncaught_exception () returned 0x70700 [0090.367] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.369] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.369] wcsstr (_Str="da-DK", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.369] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK") returned 14 [0090.369] wcscmp (_String1=".", _String2="da-DK") returned -1 [0090.369] wcscmp (_String1="..", _String2="da-DK") returned -1 [0090.369] wcslen (_String="C:\\\\Boot\\da-DK") returned 0xe [0090.369] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\Boot\\da-DK" | out: _Destination="C:\\\\Boot\\da-DK") returned 0x0 [0090.369] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\da-DK\\*") returned="C:\\\\Boot\\da-DK\\*" [0090.369] FindFirstFileW (in: lpFileName="C:\\\\Boot\\da-DK\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.370] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.370] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK\\.") returned 16 [0090.370] wcscmp (_String1=".", _String2=".") returned 0 [0090.370] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.370] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.370] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK\\..") returned 17 [0090.370] wcscmp (_String1=".", _String2="..") returned -1 [0090.370] wcscmp (_String1="..", _String2="..") returned 0 [0090.370] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.370] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.370] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\da-DK\\bootmgr.exe.mui") returned 30 [0090.370] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.370] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.370] wcslen (_String="C:\\\\Boot\\da-DK\\bootmgr.exe.mui") returned 0x1e [0090.370] CreateFileW (lpFileName="C:\\\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.371] GetLastError () returned 0x5 [0090.371] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.371] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.371] wcslen (_String="C:\\\\Boot\\da-DK") returned 0xe [0090.372] strlen (_Str="${KEY}") returned 0x6 [0090.372] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.372] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.372] strlen (_Str="${CODE}") returned 0x7 [0090.372] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.372] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.372] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.372] _wfsopen (_FileName="C:\\\\Boot\\da-DK\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.372] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.373] __uncaught_exception () returned 0x70700 [0090.373] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.374] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.374] wcsstr (_Str="de-DE", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.374] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE") returned 14 [0090.374] wcscmp (_String1=".", _String2="de-DE") returned -1 [0090.374] wcscmp (_String1="..", _String2="de-DE") returned -1 [0090.374] wcslen (_String="C:\\\\Boot\\de-DE") returned 0xe [0090.375] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\Boot\\de-DE" | out: _Destination="C:\\\\Boot\\de-DE") returned 0x0 [0090.375] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\de-DE\\*") returned="C:\\\\Boot\\de-DE\\*" [0090.375] FindFirstFileW (in: lpFileName="C:\\\\Boot\\de-DE\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.376] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.376] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE\\.") returned 16 [0090.376] wcscmp (_String1=".", _String2=".") returned 0 [0090.376] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.376] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.376] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE\\..") returned 17 [0090.376] wcscmp (_String1=".", _String2="..") returned -1 [0090.376] wcscmp (_String1="..", _String2="..") returned 0 [0090.376] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.376] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.376] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\de-DE\\bootmgr.exe.mui") returned 30 [0090.376] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.376] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.376] wcslen (_String="C:\\\\Boot\\de-DE\\bootmgr.exe.mui") returned 0x1e [0090.376] CreateFileW (lpFileName="C:\\\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.377] GetLastError () returned 0x5 [0090.377] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.377] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.377] wcslen (_String="C:\\\\Boot\\de-DE") returned 0xe [0090.378] strlen (_Str="${KEY}") returned 0x6 [0090.378] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.378] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.378] strlen (_Str="${CODE}") returned 0x7 [0090.378] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.378] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.378] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.378] _wfsopen (_FileName="C:\\\\Boot\\de-DE\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.379] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.379] __uncaught_exception () returned 0x70700 [0090.379] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.381] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.381] wcsstr (_Str="el-GR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.381] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR") returned 14 [0090.381] wcscmp (_String1=".", _String2="el-GR") returned -1 [0090.381] wcscmp (_String1="..", _String2="el-GR") returned -1 [0090.381] wcslen (_String="C:\\\\Boot\\el-GR") returned 0xe [0090.381] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\Boot\\el-GR" | out: _Destination="C:\\\\Boot\\el-GR") returned 0x0 [0090.381] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\el-GR\\*") returned="C:\\\\Boot\\el-GR\\*" [0090.381] FindFirstFileW (in: lpFileName="C:\\\\Boot\\el-GR\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.381] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.382] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR\\.") returned 16 [0090.382] wcscmp (_String1=".", _String2=".") returned 0 [0090.382] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.382] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.382] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR\\..") returned 17 [0090.382] wcscmp (_String1=".", _String2="..") returned -1 [0090.382] wcscmp (_String1="..", _String2="..") returned 0 [0090.382] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.382] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.382] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\el-GR\\bootmgr.exe.mui") returned 30 [0090.382] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.382] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.382] wcslen (_String="C:\\\\Boot\\el-GR\\bootmgr.exe.mui") returned 0x1e [0090.382] CreateFileW (lpFileName="C:\\\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.382] GetLastError () returned 0x5 [0090.382] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.383] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.383] wcslen (_String="C:\\\\Boot\\el-GR") returned 0xe [0090.383] strlen (_Str="${KEY}") returned 0x6 [0090.383] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.383] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.383] strlen (_Str="${CODE}") returned 0x7 [0090.383] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.383] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.383] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.383] _wfsopen (_FileName="C:\\\\Boot\\el-GR\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.384] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.384] __uncaught_exception () returned 0x70700 [0090.384] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.385] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.385] wcsstr (_Str="en-US", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.386] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US") returned 14 [0090.386] wcscmp (_String1=".", _String2="en-US") returned -1 [0090.386] wcscmp (_String1="..", _String2="en-US") returned -1 [0090.386] wcslen (_String="C:\\\\Boot\\en-US") returned 0xe [0090.386] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\Boot\\en-US" | out: _Destination="C:\\\\Boot\\en-US") returned 0x0 [0090.386] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\en-US\\*") returned="C:\\\\Boot\\en-US\\*" [0090.386] FindFirstFileW (in: lpFileName="C:\\\\Boot\\en-US\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.387] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.387] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US\\.") returned 16 [0090.387] wcscmp (_String1=".", _String2=".") returned 0 [0090.387] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.387] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.387] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US\\..") returned 17 [0090.387] wcscmp (_String1=".", _String2="..") returned -1 [0090.387] wcscmp (_String1="..", _String2="..") returned 0 [0090.387] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.387] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.387] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US\\bootmgr.exe.mui") returned 30 [0090.387] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.387] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.387] wcslen (_String="C:\\\\Boot\\en-US\\bootmgr.exe.mui") returned 0x1e [0090.388] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.388] GetLastError () returned 0x5 [0090.388] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.388] wcsstr (_Str="memtest.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.388] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\en-US\\memtest.exe.mui") returned 30 [0090.388] wcscmp (_String1="memtest.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.388] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="memtest.exe.mui") returned 0x0 [0090.388] wcslen (_String="C:\\\\Boot\\en-US\\memtest.exe.mui") returned 0x1e [0090.388] CreateFileW (lpFileName="C:\\\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.389] GetLastError () returned 0x5 [0090.389] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.389] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.389] wcslen (_String="C:\\\\Boot\\en-US") returned 0xe [0090.389] strlen (_Str="${KEY}") returned 0x6 [0090.389] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.390] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.390] strlen (_Str="${CODE}") returned 0x7 [0090.390] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.390] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.390] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.390] _wfsopen (_FileName="C:\\\\Boot\\en-US\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.392] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.392] __uncaught_exception () returned 0x70700 [0090.392] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.394] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.394] wcsstr (_Str="es-ES", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.394] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES") returned 14 [0090.394] wcscmp (_String1=".", _String2="es-ES") returned -1 [0090.394] wcscmp (_String1="..", _String2="es-ES") returned -1 [0090.394] wcslen (_String="C:\\\\Boot\\es-ES") returned 0xe [0090.394] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\Boot\\es-ES" | out: _Destination="C:\\\\Boot\\es-ES") returned 0x0 [0090.394] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\es-ES\\*") returned="C:\\\\Boot\\es-ES\\*" [0090.394] FindFirstFileW (in: lpFileName="C:\\\\Boot\\es-ES\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.395] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.395] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES\\.") returned 16 [0090.395] wcscmp (_String1=".", _String2=".") returned 0 [0090.395] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.395] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.395] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES\\..") returned 17 [0090.395] wcscmp (_String1=".", _String2="..") returned -1 [0090.395] wcscmp (_String1="..", _String2="..") returned 0 [0090.395] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.395] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.395] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\es-ES\\bootmgr.exe.mui") returned 30 [0090.395] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.395] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.395] wcslen (_String="C:\\\\Boot\\es-ES\\bootmgr.exe.mui") returned 0x1e [0090.395] CreateFileW (lpFileName="C:\\\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.395] GetLastError () returned 0x5 [0090.395] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.395] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.395] wcslen (_String="C:\\\\Boot\\es-ES") returned 0xe [0090.395] strlen (_Str="${KEY}") returned 0x6 [0090.395] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.395] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.395] strlen (_Str="${CODE}") returned 0x7 [0090.395] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.396] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.396] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.396] _wfsopen (_FileName="C:\\\\Boot\\es-ES\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.396] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.396] __uncaught_exception () returned 0x70700 [0090.396] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.397] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.398] wcsstr (_Str="fi-FI", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.398] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI") returned 14 [0090.398] wcscmp (_String1=".", _String2="fi-FI") returned -1 [0090.398] wcscmp (_String1="..", _String2="fi-FI") returned -1 [0090.398] wcslen (_String="C:\\\\Boot\\fi-FI") returned 0xe [0090.398] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\Boot\\fi-FI" | out: _Destination="C:\\\\Boot\\fi-FI") returned 0x0 [0090.398] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\fi-FI\\*") returned="C:\\\\Boot\\fi-FI\\*" [0090.398] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fi-FI\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.398] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.398] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI\\.") returned 16 [0090.398] wcscmp (_String1=".", _String2=".") returned 0 [0090.398] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.398] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.398] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI\\..") returned 17 [0090.398] wcscmp (_String1=".", _String2="..") returned -1 [0090.398] wcscmp (_String1="..", _String2="..") returned 0 [0090.399] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.399] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.399] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui") returned 30 [0090.399] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.399] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.399] wcslen (_String="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui") returned 0x1e [0090.399] CreateFileW (lpFileName="C:\\\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.400] GetLastError () returned 0x5 [0090.400] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.400] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.400] wcslen (_String="C:\\\\Boot\\fi-FI") returned 0xe [0090.400] strlen (_Str="${KEY}") returned 0x6 [0090.400] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.400] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.400] strlen (_Str="${CODE}") returned 0x7 [0090.400] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.401] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.401] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.401] _wfsopen (_FileName="C:\\\\Boot\\fi-FI\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.406] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.406] __uncaught_exception () returned 0x70700 [0090.406] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.407] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.407] wcsstr (_Str="Fonts", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.407] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts") returned 14 [0090.407] wcscmp (_String1=".", _String2="Fonts") returned -1 [0090.407] wcscmp (_String1="..", _String2="Fonts") returned -1 [0090.407] wcslen (_String="C:\\\\Boot\\Fonts") returned 0xe [0090.407] wcscpy_s (in: _Destination=0x1aede8, _SizeInWords=0x104, _Source="C:\\\\Boot\\Fonts" | out: _Destination="C:\\\\Boot\\Fonts") returned 0x0 [0090.407] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\Fonts\\*") returned="C:\\\\Boot\\Fonts\\*" [0090.407] FindFirstFileW (in: lpFileName="C:\\\\Boot\\Fonts\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.408] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.408] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\.") returned 16 [0090.408] wcscmp (_String1=".", _String2=".") returned 0 [0090.408] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.408] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.408] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\..") returned 17 [0090.408] wcscmp (_String1=".", _String2="..") returned -1 [0090.408] wcscmp (_String1="..", _String2="..") returned 0 [0090.408] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.408] wcsstr (_Str="chs_boot.ttf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.408] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\chs_boot.ttf") returned 27 [0090.409] wcscmp (_String1="chs_boot.ttf", _String2="!=How_recovery_files=!.txt") returned 1 [0090.409] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="chs_boot.ttf") returned 0x0 [0090.409] wcslen (_String="C:\\\\Boot\\Fonts\\chs_boot.ttf") returned 0x1b [0090.409] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.409] GetLastError () returned 0x5 [0090.409] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.409] wcsstr (_Str="cht_boot.ttf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.409] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\cht_boot.ttf") returned 27 [0090.409] wcscmp (_String1="cht_boot.ttf", _String2="!=How_recovery_files=!.txt") returned 1 [0090.409] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="cht_boot.ttf") returned 0x0 [0090.409] wcslen (_String="C:\\\\Boot\\Fonts\\cht_boot.ttf") returned 0x1b [0090.409] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.409] GetLastError () returned 0x5 [0090.409] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.409] wcsstr (_Str="jpn_boot.ttf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.409] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\jpn_boot.ttf") returned 27 [0090.409] wcscmp (_String1="jpn_boot.ttf", _String2="!=How_recovery_files=!.txt") returned 1 [0090.410] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="jpn_boot.ttf") returned 0x0 [0090.410] wcslen (_String="C:\\\\Boot\\Fonts\\jpn_boot.ttf") returned 0x1b [0090.410] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.410] GetLastError () returned 0x5 [0090.410] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.410] wcsstr (_Str="kor_boot.ttf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.410] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\kor_boot.ttf") returned 27 [0090.410] wcscmp (_String1="kor_boot.ttf", _String2="!=How_recovery_files=!.txt") returned 1 [0090.410] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="kor_boot.ttf") returned 0x0 [0090.410] wcslen (_String="C:\\\\Boot\\Fonts\\kor_boot.ttf") returned 0x1b [0090.410] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.410] GetLastError () returned 0x5 [0090.410] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.410] wcsstr (_Str="wgl4_boot.ttf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.410] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\Fonts\\wgl4_boot.ttf") returned 28 [0090.410] wcscmp (_String1="wgl4_boot.ttf", _String2="!=How_recovery_files=!.txt") returned 1 [0090.410] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="wgl4_boot.ttf") returned 0x0 [0090.410] wcslen (_String="C:\\\\Boot\\Fonts\\wgl4_boot.ttf") returned 0x1c [0090.410] CreateFileW (lpFileName="C:\\\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.411] GetLastError () returned 0x5 [0090.411] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.411] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.411] wcslen (_String="C:\\\\Boot\\Fonts") returned 0xe [0090.411] strlen (_Str="${KEY}") returned 0x6 [0090.411] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.411] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.411] strlen (_Str="${CODE}") returned 0x7 [0090.411] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.411] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.411] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.411] _wfsopen (_FileName="C:\\\\Boot\\Fonts\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.413] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.413] __uncaught_exception () returned 0x70700 [0090.413] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.414] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.414] wcsstr (_Str="fr-FR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.414] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR") returned 14 [0090.414] wcscmp (_String1=".", _String2="fr-FR") returned -1 [0090.414] wcscmp (_String1="..", _String2="fr-FR") returned -1 [0090.414] wcslen (_String="C:\\\\Boot\\fr-FR") returned 0xe [0090.414] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\fr-FR\\*") returned="C:\\\\Boot\\fr-FR\\*" [0090.414] FindFirstFileW (in: lpFileName="C:\\\\Boot\\fr-FR\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.414] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.414] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR\\.") returned 16 [0090.414] wcscmp (_String1=".", _String2=".") returned 0 [0090.414] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.414] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.415] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR\\..") returned 17 [0090.415] wcscmp (_String1=".", _String2="..") returned -1 [0090.415] wcscmp (_String1="..", _String2="..") returned 0 [0090.415] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.415] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.415] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui") returned 30 [0090.415] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.415] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.415] wcslen (_String="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui") returned 0x1e [0090.415] CreateFileW (lpFileName="C:\\\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.415] GetLastError () returned 0x5 [0090.415] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.415] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.415] wcslen (_String="C:\\\\Boot\\fr-FR") returned 0xe [0090.415] strlen (_Str="${KEY}") returned 0x6 [0090.415] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.415] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.415] strlen (_Str="${CODE}") returned 0x7 [0090.415] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.415] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.415] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.415] _wfsopen (_FileName="C:\\\\Boot\\fr-FR\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.416] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.416] __uncaught_exception () returned 0x70700 [0090.416] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.417] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.417] wcsstr (_Str="hu-HU", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.417] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU") returned 14 [0090.417] wcscmp (_String1=".", _String2="hu-HU") returned -1 [0090.417] wcscmp (_String1="..", _String2="hu-HU") returned -1 [0090.418] wcslen (_String="C:\\\\Boot\\hu-HU") returned 0xe [0090.418] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\hu-HU\\*") returned="C:\\\\Boot\\hu-HU\\*" [0090.418] FindFirstFileW (in: lpFileName="C:\\\\Boot\\hu-HU\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.418] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.418] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU\\.") returned 16 [0090.418] wcscmp (_String1=".", _String2=".") returned 0 [0090.418] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.418] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.418] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU\\..") returned 17 [0090.418] wcscmp (_String1=".", _String2="..") returned -1 [0090.418] wcscmp (_String1="..", _String2="..") returned 0 [0090.419] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.419] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.419] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui") returned 30 [0090.419] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.419] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.419] wcslen (_String="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui") returned 0x1e [0090.419] CreateFileW (lpFileName="C:\\\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.419] GetLastError () returned 0x5 [0090.419] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.419] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.419] wcslen (_String="C:\\\\Boot\\hu-HU") returned 0xe [0090.419] strlen (_Str="${KEY}") returned 0x6 [0090.419] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.419] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.419] strlen (_Str="${CODE}") returned 0x7 [0090.419] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.420] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.420] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.420] _wfsopen (_FileName="C:\\\\Boot\\hu-HU\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.420] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.420] __uncaught_exception () returned 0x70700 [0090.420] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.421] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.421] wcsstr (_Str="it-IT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.421] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT") returned 14 [0090.421] wcscmp (_String1=".", _String2="it-IT") returned -1 [0090.421] wcscmp (_String1="..", _String2="it-IT") returned -1 [0090.421] wcslen (_String="C:\\\\Boot\\it-IT") returned 0xe [0090.421] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\it-IT\\*") returned="C:\\\\Boot\\it-IT\\*" [0090.421] FindFirstFileW (in: lpFileName="C:\\\\Boot\\it-IT\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.422] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.422] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT\\.") returned 16 [0090.422] wcscmp (_String1=".", _String2=".") returned 0 [0090.422] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.422] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.422] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT\\..") returned 17 [0090.422] wcscmp (_String1=".", _String2="..") returned -1 [0090.422] wcscmp (_String1="..", _String2="..") returned 0 [0090.422] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.422] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.422] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\it-IT\\bootmgr.exe.mui") returned 30 [0090.422] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.422] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.422] wcslen (_String="C:\\\\Boot\\it-IT\\bootmgr.exe.mui") returned 0x1e [0090.422] CreateFileW (lpFileName="C:\\\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.422] GetLastError () returned 0x5 [0090.422] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.422] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.422] wcslen (_String="C:\\\\Boot\\it-IT") returned 0xe [0090.422] strlen (_Str="${KEY}") returned 0x6 [0090.422] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.422] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.422] strlen (_Str="${CODE}") returned 0x7 [0090.422] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.422] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.422] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.422] _wfsopen (_FileName="C:\\\\Boot\\it-IT\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.423] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.423] __uncaught_exception () returned 0x70700 [0090.423] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.424] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.424] wcsstr (_Str="ja-JP", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.424] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP") returned 14 [0090.424] wcscmp (_String1=".", _String2="ja-JP") returned -1 [0090.424] wcscmp (_String1="..", _String2="ja-JP") returned -1 [0090.424] wcslen (_String="C:\\\\Boot\\ja-JP") returned 0xe [0090.424] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\ja-JP\\*") returned="C:\\\\Boot\\ja-JP\\*" [0090.424] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ja-JP\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.425] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.425] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP\\.") returned 16 [0090.425] wcscmp (_String1=".", _String2=".") returned 0 [0090.425] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.425] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.425] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP\\..") returned 17 [0090.425] wcscmp (_String1=".", _String2="..") returned -1 [0090.425] wcscmp (_String1="..", _String2="..") returned 0 [0090.425] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.425] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.425] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui") returned 30 [0090.425] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.425] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.425] wcslen (_String="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui") returned 0x1e [0090.425] CreateFileW (lpFileName="C:\\\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.426] GetLastError () returned 0x5 [0090.426] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.426] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.427] wcslen (_String="C:\\\\Boot\\ja-JP") returned 0xe [0090.427] strlen (_Str="${KEY}") returned 0x6 [0090.427] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.427] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.427] strlen (_Str="${CODE}") returned 0x7 [0090.427] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.427] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.427] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.427] _wfsopen (_FileName="C:\\\\Boot\\ja-JP\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.427] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.427] __uncaught_exception () returned 0x70700 [0090.427] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.429] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.429] wcsstr (_Str="ko-KR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.429] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR") returned 14 [0090.429] wcscmp (_String1=".", _String2="ko-KR") returned -1 [0090.429] wcscmp (_String1="..", _String2="ko-KR") returned -1 [0090.429] wcslen (_String="C:\\\\Boot\\ko-KR") returned 0xe [0090.429] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\ko-KR\\*") returned="C:\\\\Boot\\ko-KR\\*" [0090.429] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ko-KR\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.429] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.429] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR\\.") returned 16 [0090.429] wcscmp (_String1=".", _String2=".") returned 0 [0090.429] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.429] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.429] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR\\..") returned 17 [0090.429] wcscmp (_String1=".", _String2="..") returned -1 [0090.429] wcscmp (_String1="..", _String2="..") returned 0 [0090.429] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.429] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.429] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui") returned 30 [0090.429] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.429] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.429] wcslen (_String="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui") returned 0x1e [0090.429] CreateFileW (lpFileName="C:\\\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.430] GetLastError () returned 0x5 [0090.430] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.430] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.430] wcslen (_String="C:\\\\Boot\\ko-KR") returned 0xe [0090.430] strlen (_Str="${KEY}") returned 0x6 [0090.430] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.430] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.430] strlen (_Str="${CODE}") returned 0x7 [0090.430] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.430] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.430] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.430] _wfsopen (_FileName="C:\\\\Boot\\ko-KR\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.430] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.430] __uncaught_exception () returned 0x70700 [0090.430] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.432] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.432] wcsstr (_Str="memtest.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.432] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\memtest.exe") returned 20 [0090.432] wcscmp (_String1="memtest.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0090.432] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="memtest.exe") returned 0x0 [0090.432] wcslen (_String="C:\\\\Boot\\memtest.exe") returned 0x14 [0090.432] CreateFileW (lpFileName="C:\\\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.433] GetLastError () returned 0x5 [0090.433] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.433] wcsstr (_Str="nb-NO", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.433] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO") returned 14 [0090.433] wcscmp (_String1=".", _String2="nb-NO") returned -1 [0090.433] wcscmp (_String1="..", _String2="nb-NO") returned -1 [0090.433] wcslen (_String="C:\\\\Boot\\nb-NO") returned 0xe [0090.433] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\nb-NO\\*") returned="C:\\\\Boot\\nb-NO\\*" [0090.433] FindFirstFileW (in: lpFileName="C:\\\\Boot\\nb-NO\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.433] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.433] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO\\.") returned 16 [0090.433] wcscmp (_String1=".", _String2=".") returned 0 [0090.434] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.434] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.434] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO\\..") returned 17 [0090.434] wcscmp (_String1=".", _String2="..") returned -1 [0090.434] wcscmp (_String1="..", _String2="..") returned 0 [0090.434] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.434] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.434] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui") returned 30 [0090.434] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.434] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.434] wcslen (_String="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui") returned 0x1e [0090.434] CreateFileW (lpFileName="C:\\\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.434] GetLastError () returned 0x5 [0090.434] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.434] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.434] wcslen (_String="C:\\\\Boot\\nb-NO") returned 0xe [0090.434] strlen (_Str="${KEY}") returned 0x6 [0090.434] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.434] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.434] strlen (_Str="${CODE}") returned 0x7 [0090.434] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.435] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.435] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.435] _wfsopen (_FileName="C:\\\\Boot\\nb-NO\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.435] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.435] __uncaught_exception () returned 0x70700 [0090.435] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.436] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.436] wcsstr (_Str="nl-NL", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.437] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL") returned 14 [0090.437] wcscmp (_String1=".", _String2="nl-NL") returned -1 [0090.437] wcscmp (_String1="..", _String2="nl-NL") returned -1 [0090.437] wcslen (_String="C:\\\\Boot\\nl-NL") returned 0xe [0090.437] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\nl-NL\\*") returned="C:\\\\Boot\\nl-NL\\*" [0090.437] FindFirstFileW (in: lpFileName="C:\\\\Boot\\nl-NL\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.437] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.437] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL\\.") returned 16 [0090.437] wcscmp (_String1=".", _String2=".") returned 0 [0090.437] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.437] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.437] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL\\..") returned 17 [0090.437] wcscmp (_String1=".", _String2="..") returned -1 [0090.437] wcscmp (_String1="..", _String2="..") returned 0 [0090.437] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.437] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.437] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui") returned 30 [0090.437] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.437] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.437] wcslen (_String="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui") returned 0x1e [0090.437] CreateFileW (lpFileName="C:\\\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.438] GetLastError () returned 0x5 [0090.438] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.438] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.438] wcslen (_String="C:\\\\Boot\\nl-NL") returned 0xe [0090.438] strlen (_Str="${KEY}") returned 0x6 [0090.438] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.438] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.438] strlen (_Str="${CODE}") returned 0x7 [0090.438] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.438] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.438] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.438] _wfsopen (_FileName="C:\\\\Boot\\nl-NL\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.439] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.439] __uncaught_exception () returned 0x70700 [0090.439] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.440] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.440] wcsstr (_Str="pl-PL", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.440] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL") returned 14 [0090.440] wcscmp (_String1=".", _String2="pl-PL") returned -1 [0090.440] wcscmp (_String1="..", _String2="pl-PL") returned -1 [0090.440] wcslen (_String="C:\\\\Boot\\pl-PL") returned 0xe [0090.440] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\pl-PL\\*") returned="C:\\\\Boot\\pl-PL\\*" [0090.440] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pl-PL\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.441] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.441] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL\\.") returned 16 [0090.441] wcscmp (_String1=".", _String2=".") returned 0 [0090.441] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.441] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.441] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL\\..") returned 17 [0090.441] wcscmp (_String1=".", _String2="..") returned -1 [0090.441] wcscmp (_String1="..", _String2="..") returned 0 [0090.441] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.441] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.441] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui") returned 30 [0090.441] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.441] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.441] wcslen (_String="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui") returned 0x1e [0090.441] CreateFileW (lpFileName="C:\\\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.441] GetLastError () returned 0x5 [0090.441] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.441] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.441] wcslen (_String="C:\\\\Boot\\pl-PL") returned 0xe [0090.441] strlen (_Str="${KEY}") returned 0x6 [0090.441] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.441] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.441] strlen (_Str="${CODE}") returned 0x7 [0090.441] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.441] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.441] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.441] _wfsopen (_FileName="C:\\\\Boot\\pl-PL\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.442] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.442] __uncaught_exception () returned 0x70700 [0090.442] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.443] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.443] wcsstr (_Str="pt-BR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.443] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR") returned 14 [0090.443] wcscmp (_String1=".", _String2="pt-BR") returned -1 [0090.443] wcscmp (_String1="..", _String2="pt-BR") returned -1 [0090.443] wcslen (_String="C:\\\\Boot\\pt-BR") returned 0xe [0090.443] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\pt-BR\\*") returned="C:\\\\Boot\\pt-BR\\*" [0090.443] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pt-BR\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.443] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.443] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR\\.") returned 16 [0090.443] wcscmp (_String1=".", _String2=".") returned 0 [0090.443] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.443] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.443] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR\\..") returned 17 [0090.443] wcscmp (_String1=".", _String2="..") returned -1 [0090.444] wcscmp (_String1="..", _String2="..") returned 0 [0090.444] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.444] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.444] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui") returned 30 [0090.444] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.444] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.444] wcslen (_String="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui") returned 0x1e [0090.444] CreateFileW (lpFileName="C:\\\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.444] GetLastError () returned 0x5 [0090.444] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.444] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.444] wcslen (_String="C:\\\\Boot\\pt-BR") returned 0xe [0090.445] strlen (_Str="${KEY}") returned 0x6 [0090.445] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.445] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.445] strlen (_Str="${CODE}") returned 0x7 [0090.445] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.445] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.445] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.445] _wfsopen (_FileName="C:\\\\Boot\\pt-BR\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.445] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.445] __uncaught_exception () returned 0x70700 [0090.445] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.446] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.446] wcsstr (_Str="pt-PT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.446] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT") returned 14 [0090.446] wcscmp (_String1=".", _String2="pt-PT") returned -1 [0090.446] wcscmp (_String1="..", _String2="pt-PT") returned -1 [0090.446] wcslen (_String="C:\\\\Boot\\pt-PT") returned 0xe [0090.446] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\pt-PT\\*") returned="C:\\\\Boot\\pt-PT\\*" [0090.446] FindFirstFileW (in: lpFileName="C:\\\\Boot\\pt-PT\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.447] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.447] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT\\.") returned 16 [0090.447] wcscmp (_String1=".", _String2=".") returned 0 [0090.447] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.447] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.447] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT\\..") returned 17 [0090.447] wcscmp (_String1=".", _String2="..") returned -1 [0090.447] wcscmp (_String1="..", _String2="..") returned 0 [0090.447] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.447] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.447] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui") returned 30 [0090.447] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.447] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.447] wcslen (_String="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui") returned 0x1e [0090.447] CreateFileW (lpFileName="C:\\\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.447] GetLastError () returned 0x5 [0090.447] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.447] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.447] wcslen (_String="C:\\\\Boot\\pt-PT") returned 0xe [0090.447] strlen (_Str="${KEY}") returned 0x6 [0090.447] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.447] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.447] strlen (_Str="${CODE}") returned 0x7 [0090.447] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.447] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.447] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.447] _wfsopen (_FileName="C:\\\\Boot\\pt-PT\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.448] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.448] __uncaught_exception () returned 0x70700 [0090.448] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.449] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.449] wcsstr (_Str="ru-RU", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.449] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU") returned 14 [0090.449] wcscmp (_String1=".", _String2="ru-RU") returned -1 [0090.449] wcscmp (_String1="..", _String2="ru-RU") returned -1 [0090.449] wcslen (_String="C:\\\\Boot\\ru-RU") returned 0xe [0090.449] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\ru-RU\\*") returned="C:\\\\Boot\\ru-RU\\*" [0090.449] FindFirstFileW (in: lpFileName="C:\\\\Boot\\ru-RU\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.449] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.449] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU\\.") returned 16 [0090.449] wcscmp (_String1=".", _String2=".") returned 0 [0090.449] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.449] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.450] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU\\..") returned 17 [0090.450] wcscmp (_String1=".", _String2="..") returned -1 [0090.450] wcscmp (_String1="..", _String2="..") returned 0 [0090.450] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.450] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.450] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui") returned 30 [0090.450] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.450] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.450] wcslen (_String="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui") returned 0x1e [0090.450] CreateFileW (lpFileName="C:\\\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.450] GetLastError () returned 0x5 [0090.450] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.450] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.451] wcslen (_String="C:\\\\Boot\\ru-RU") returned 0xe [0090.451] strlen (_Str="${KEY}") returned 0x6 [0090.451] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.451] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.451] strlen (_Str="${CODE}") returned 0x7 [0090.451] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.451] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.451] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.451] _wfsopen (_FileName="C:\\\\Boot\\ru-RU\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.451] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.451] __uncaught_exception () returned 0x70700 [0090.451] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.452] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.452] wcsstr (_Str="sv-SE", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.452] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE") returned 14 [0090.452] wcscmp (_String1=".", _String2="sv-SE") returned -1 [0090.452] wcscmp (_String1="..", _String2="sv-SE") returned -1 [0090.452] wcslen (_String="C:\\\\Boot\\sv-SE") returned 0xe [0090.452] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\sv-SE\\*") returned="C:\\\\Boot\\sv-SE\\*" [0090.453] FindFirstFileW (in: lpFileName="C:\\\\Boot\\sv-SE\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.453] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.453] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE\\.") returned 16 [0090.453] wcscmp (_String1=".", _String2=".") returned 0 [0090.453] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.453] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.453] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE\\..") returned 17 [0090.453] wcscmp (_String1=".", _String2="..") returned -1 [0090.453] wcscmp (_String1="..", _String2="..") returned 0 [0090.453] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.453] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.453] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui") returned 30 [0090.453] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.453] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.453] wcslen (_String="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui") returned 0x1e [0090.453] CreateFileW (lpFileName="C:\\\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.453] GetLastError () returned 0x5 [0090.453] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.453] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.453] wcslen (_String="C:\\\\Boot\\sv-SE") returned 0xe [0090.453] strlen (_Str="${KEY}") returned 0x6 [0090.453] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.453] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.453] strlen (_Str="${CODE}") returned 0x7 [0090.453] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.454] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.454] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.454] _wfsopen (_FileName="C:\\\\Boot\\sv-SE\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.454] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.454] __uncaught_exception () returned 0x70700 [0090.454] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.456] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.456] wcsstr (_Str="tr-TR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.456] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR") returned 14 [0090.456] wcscmp (_String1=".", _String2="tr-TR") returned -1 [0090.456] wcscmp (_String1="..", _String2="tr-TR") returned -1 [0090.456] wcslen (_String="C:\\\\Boot\\tr-TR") returned 0xe [0090.456] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\tr-TR\\*") returned="C:\\\\Boot\\tr-TR\\*" [0090.456] FindFirstFileW (in: lpFileName="C:\\\\Boot\\tr-TR\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.457] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.457] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR\\.") returned 16 [0090.457] wcscmp (_String1=".", _String2=".") returned 0 [0090.457] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.457] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.457] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR\\..") returned 17 [0090.457] wcscmp (_String1=".", _String2="..") returned -1 [0090.457] wcscmp (_String1="..", _String2="..") returned 0 [0090.457] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.457] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.457] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui") returned 30 [0090.457] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.457] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.457] wcslen (_String="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui") returned 0x1e [0090.457] CreateFileW (lpFileName="C:\\\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.458] GetLastError () returned 0x5 [0090.458] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.458] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.458] wcslen (_String="C:\\\\Boot\\tr-TR") returned 0xe [0090.458] strlen (_Str="${KEY}") returned 0x6 [0090.458] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.458] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.458] strlen (_Str="${CODE}") returned 0x7 [0090.458] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.458] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.458] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.458] _wfsopen (_FileName="C:\\\\Boot\\tr-TR\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.458] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.459] __uncaught_exception () returned 0x70700 [0090.459] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.460] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.460] wcsstr (_Str="zh-CN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.460] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN") returned 14 [0090.460] wcscmp (_String1=".", _String2="zh-CN") returned -1 [0090.460] wcscmp (_String1="..", _String2="zh-CN") returned -1 [0090.460] wcslen (_String="C:\\\\Boot\\zh-CN") returned 0xe [0090.460] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\zh-CN\\*") returned="C:\\\\Boot\\zh-CN\\*" [0090.460] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-CN\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.460] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.460] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN\\.") returned 16 [0090.460] wcscmp (_String1=".", _String2=".") returned 0 [0090.460] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.460] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.460] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN\\..") returned 17 [0090.460] wcscmp (_String1=".", _String2="..") returned -1 [0090.460] wcscmp (_String1="..", _String2="..") returned 0 [0090.460] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.460] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.460] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui") returned 30 [0090.460] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.460] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.460] wcslen (_String="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui") returned 0x1e [0090.461] CreateFileW (lpFileName="C:\\\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.461] GetLastError () returned 0x5 [0090.461] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.461] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.461] wcslen (_String="C:\\\\Boot\\zh-CN") returned 0xe [0090.461] strlen (_Str="${KEY}") returned 0x6 [0090.461] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.461] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.461] strlen (_Str="${CODE}") returned 0x7 [0090.461] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.461] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.461] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.461] _wfsopen (_FileName="C:\\\\Boot\\zh-CN\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.461] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.461] __uncaught_exception () returned 0x70700 [0090.461] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.463] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.463] wcsstr (_Str="zh-HK", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.463] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK") returned 14 [0090.463] wcscmp (_String1=".", _String2="zh-HK") returned -1 [0090.463] wcscmp (_String1="..", _String2="zh-HK") returned -1 [0090.463] wcslen (_String="C:\\\\Boot\\zh-HK") returned 0xe [0090.463] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\zh-HK\\*") returned="C:\\\\Boot\\zh-HK\\*" [0090.463] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-HK\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.463] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.464] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK\\.") returned 16 [0090.464] wcscmp (_String1=".", _String2=".") returned 0 [0090.464] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.464] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.464] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK\\..") returned 17 [0090.464] wcscmp (_String1=".", _String2="..") returned -1 [0090.464] wcscmp (_String1="..", _String2="..") returned 0 [0090.464] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.464] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.464] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui") returned 30 [0090.464] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.464] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.464] wcslen (_String="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui") returned 0x1e [0090.464] CreateFileW (lpFileName="C:\\\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.464] GetLastError () returned 0x5 [0090.464] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.464] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.465] wcslen (_String="C:\\\\Boot\\zh-HK") returned 0xe [0090.465] strlen (_Str="${KEY}") returned 0x6 [0090.465] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.465] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.465] strlen (_Str="${CODE}") returned 0x7 [0090.465] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.465] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.465] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.465] _wfsopen (_FileName="C:\\\\Boot\\zh-HK\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.465] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.465] __uncaught_exception () returned 0x70700 [0090.465] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.466] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.467] wcsstr (_Str="zh-TW", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.467] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW") returned 14 [0090.467] wcscmp (_String1=".", _String2="zh-TW") returned -1 [0090.467] wcscmp (_String1="..", _String2="zh-TW") returned -1 [0090.467] wcslen (_String="C:\\\\Boot\\zh-TW") returned 0xe [0090.467] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Boot\\zh-TW\\*") returned="C:\\\\Boot\\zh-TW\\*" [0090.467] FindFirstFileW (in: lpFileName="C:\\\\Boot\\zh-TW\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.467] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.467] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW\\.") returned 16 [0090.467] wcscmp (_String1=".", _String2=".") returned 0 [0090.467] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.467] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.467] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW\\..") returned 17 [0090.467] wcscmp (_String1=".", _String2="..") returned -1 [0090.467] wcscmp (_String1="..", _String2="..") returned 0 [0090.467] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.467] wcsstr (_Str="bootmgr.exe.mui", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.467] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui") returned 30 [0090.467] wcscmp (_String1="bootmgr.exe.mui", _String2="!=How_recovery_files=!.txt") returned 1 [0090.467] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr.exe.mui") returned 0x0 [0090.467] wcslen (_String="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui") returned 0x1e [0090.467] CreateFileW (lpFileName="C:\\\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.467] GetLastError () returned 0x5 [0090.467] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0090.467] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0090.468] wcslen (_String="C:\\\\Boot\\zh-TW") returned 0xe [0090.468] strlen (_Str="${KEY}") returned 0x6 [0090.468] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x11) returned 0x7d185 [0090.468] memchr (_Buf=0x7d186, _Val=36, _MaxCount=0x3) returned 0x0 [0090.468] strlen (_Str="${CODE}") returned 0x7 [0090.468] memchr (_Buf=0x7d178, _Val=36, _MaxCount=0x10) returned 0x7d185 [0090.468] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.468] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.468] _wfsopen (_FileName="C:\\\\Boot\\zh-TW\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.468] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.468] __uncaught_exception () returned 0x70700 [0090.468] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.469] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0 [0090.470] FindClose (in: hFindFile=0x44aa78 | out: hFindFile=0x44aa78) returned 1 [0090.470] wcslen (_String="C:\\\\Boot") returned 0x8 [0090.470] strlen (_Str="${KEY}") returned 0x6 [0090.470] memchr (_Buf=0x7d150, _Val=36, _MaxCount=0x11) returned 0x7d15d [0090.470] memchr (_Buf=0x7d15e, _Val=36, _MaxCount=0x3) returned 0x0 [0090.470] strlen (_Str="${CODE}") returned 0x7 [0090.470] memchr (_Buf=0x7d150, _Val=36, _MaxCount=0x10) returned 0x7d15d [0090.470] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.470] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0090.470] _wfsopen (_FileName="C:\\\\Boot\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0090.470] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0090.470] __uncaught_exception () returned 0x70700 [0090.470] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.472] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0090.472] wcsstr (_Str="bootmgr", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.472] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\bootmgr") returned 11 [0090.472] wcscmp (_String1="bootmgr", _String2="!=How_recovery_files=!.txt") returned 1 [0090.472] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="bootmgr") returned 0x0 [0090.472] wcslen (_String="C:\\\\bootmgr") returned 0xb [0090.472] CreateFileW (lpFileName="C:\\\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.473] GetLastError () returned 0x5 [0090.473] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0090.473] wcsstr (_Str="BOOTSECT.BAK", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.473] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\BOOTSECT.BAK") returned 16 [0090.473] wcscmp (_String1="BOOTSECT.BAK", _String2="!=How_recovery_files=!.txt") returned 1 [0090.473] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="BOOTSECT.BAK") returned 0x0 [0090.473] wcslen (_String="C:\\\\BOOTSECT.BAK") returned 0x10 [0090.473] CreateFileW (lpFileName="C:\\\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.473] GetLastError () returned 0x5 [0090.473] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0090.473] wcsstr (_Str="config.sys", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.473] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\config.sys") returned 14 [0090.473] wcscmp (_String1="config.sys", _String2="!=How_recovery_files=!.txt") returned 1 [0090.473] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="config.sys") returned 0x0 [0090.473] wcslen (_String="C:\\\\config.sys") returned 0xe [0090.473] CreateFileW (lpFileName="C:\\\\config.sys" (normalized: "c:\\config.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x68 [0090.474] ReadFile (in: hFile=0x68, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1af44c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1af44c*=0xa, lpOverlapped=0x0) returned 1 [0090.490] SetFilePointer (in: hFile=0x68, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.490] WriteFile (in: hFile=0x68, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x1af44c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1af44c*=0x10, lpOverlapped=0x0) returned 1 [0090.490] CloseHandle (hObject=0x68) returned 1 [0090.491] _wfsopen (_FileName="C:\\\\config.sys", _Mode="a", _ShFlag=64) returned 0x76b32960 [0090.491] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0090.491] __uncaught_exception () returned 0x70700 [0090.491] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0090.492] MoveFileW (lpExistingFileName="C:\\\\config.sys" (normalized: "c:\\config.sys"), lpNewFileName="C:\\\\config.sys.[rmail@rmail.cc].rmaile" (normalized: "c:\\config.sys.[rmail@rmail.cc].rmaile")) returned 1 [0090.493] ??_V@YAXPAX@Z () returned 0x1 [0090.501] SetFileAttributesW (lpFileName="C:\\\\config.sys", dwFileAttributes=0x0) returned 0 [0090.501] DeleteFileW (lpFileName="C:\\\\config.sys" (normalized: "c:\\config.sys")) returned 0 [0090.501] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0090.501] wcsstr (_Str="Documents and Settings", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.501] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Documents and Settings") returned 26 [0090.501] wcscmp (_String1=".", _String2="Documents and Settings") returned -1 [0090.501] wcscmp (_String1="..", _String2="Documents and Settings") returned -1 [0090.501] wcslen (_String="C:\\\\Documents and Settings") returned 0x1a [0090.501] wcscat (in: _Dest=0x1af2a4, _Source="\\*" | out: _Dest="C:\\\\Documents and Settings\\*") returned="C:\\\\Documents and Settings\\*" [0090.501] FindFirstFileW (in: lpFileName="C:\\\\Documents and Settings\\*", lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0xffffffff [0090.502] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0090.502] wcsstr (_Str="hiberfil.sys", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.502] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\hiberfil.sys") returned 16 [0090.502] wcscmp (_String1="hiberfil.sys", _String2="!=How_recovery_files=!.txt") returned 1 [0090.502] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="hiberfil.sys") returned 0x0 [0090.502] wcslen (_String="C:\\\\hiberfil.sys") returned 0x10 [0090.502] CreateFileW (lpFileName="C:\\\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0090.502] GetLastError () returned 0x20 [0090.502] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0090.502] wcsstr (_Str="MSOCache", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.502] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache") returned 12 [0090.502] wcscmp (_String1=".", _String2="MSOCache") returned -1 [0090.502] wcscmp (_String1="..", _String2="MSOCache") returned -1 [0090.502] wcslen (_String="C:\\\\MSOCache") returned 0xc [0090.502] wcscat (in: _Dest=0x1af2a4, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\*") returned="C:\\\\MSOCache\\*" [0090.502] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\*", lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0x44aa78 [0090.503] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.503] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\.") returned 14 [0090.503] wcscmp (_String1=".", _String2=".") returned 0 [0090.503] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.503] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.503] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\..") returned 15 [0090.503] wcscmp (_String1=".", _String2="..") returned -1 [0090.503] wcscmp (_String1="..", _String2="..") returned 0 [0090.503] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0090.503] wcsstr (_Str="All Users", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.503] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users") returned 22 [0090.503] wcscmp (_String1=".", _String2="All Users") returned -1 [0090.503] wcscmp (_String1="..", _String2="All Users") returned -1 [0090.503] wcslen (_String="C:\\\\MSOCache\\All Users") returned 0x16 [0090.503] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\*") returned="C:\\\\MSOCache\\All Users\\*" [0090.503] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0090.518] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.518] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\.") returned 24 [0090.518] wcscmp (_String1=".", _String2=".") returned 0 [0090.518] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.519] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.519] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\..") returned 25 [0090.519] wcscmp (_String1=".", _String2="..") returned -1 [0090.519] wcscmp (_String1="..", _String2="..") returned 0 [0090.519] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0090.519] wcsstr (_Str="{90140000-0016-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.519] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C") returned 63 [0090.519] wcscmp (_String1=".", _String2="{90140000-0016-0409-0000-0000000FF1CE}-C") returned -1 [0090.519] wcscmp (_String1="..", _String2="{90140000-0016-0409-0000-0000000FF1CE}-C") returned -1 [0090.519] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C") returned 0x3f [0090.519] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\*" [0090.519] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0090.573] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.573] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\.") returned 65 [0090.574] wcscmp (_String1=".", _String2=".") returned 0 [0090.574] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0090.574] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.574] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\..") returned 66 [0090.574] wcscmp (_String1=".", _String2="..") returned -1 [0090.574] wcscmp (_String1="..", _String2="..") returned 0 [0090.574] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0090.574] wcsstr (_Str="ExcelLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0090.574] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelLR.cab") returned 75 [0090.574] wcscmp (_String1="ExcelLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0090.574] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ExcelLR.cab") returned 0x0 [0090.574] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelLR.cab") returned 0x4b [0090.574] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0090.575] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0090.720] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0090.720] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0090.748] CloseHandle (hObject=0x78) returned 1 [0092.855] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0092.855] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0092.855] __uncaught_exception () returned 0x70700 [0092.855] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0095.282] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excellr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0095.285] ??_V@YAXPAX@Z () returned 0x1 [0095.294] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelLR.cab", dwFileAttributes=0x2000) returned 0 [0095.294] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excellr.cab")) returned 0 [0095.294] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0095.294] wcsstr (_Str="ExcelMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0095.294] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.msi") returned 76 [0095.294] wcscmp (_String1="ExcelMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0095.294] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ExcelMUI.msi") returned 0x0 [0095.294] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.msi") returned 0x4c [0095.294] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0095.295] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0095.568] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.568] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0095.602] CloseHandle (hObject=0x78) returned 1 [0095.633] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0095.634] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0095.634] __uncaught_exception () returned 0x70700 [0095.634] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0095.653] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excelmui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0095.654] ??_V@YAXPAX@Z () returned 0x1 [0095.663] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.msi", dwFileAttributes=0x2000) returned 0 [0095.663] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excelmui.msi")) returned 0 [0095.663] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0095.663] wcsstr (_Str="ExcelMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0095.663] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.xml") returned 76 [0095.663] wcscmp (_String1="ExcelMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0095.664] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ExcelMUI.xml") returned 0x0 [0095.664] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.xml") returned 0x4c [0095.664] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0095.664] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x61d, lpOverlapped=0x0) returned 1 [0095.717] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.717] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x620, lpOverlapped=0x0) returned 1 [0095.718] CloseHandle (hObject=0x78) returned 1 [0095.718] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0095.719] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0095.719] __uncaught_exception () returned 0x70700 [0095.719] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0095.720] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excelmui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0095.721] ??_V@YAXPAX@Z () returned 0x1 [0095.730] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.xml", dwFileAttributes=0x2000) returned 0 [0095.731] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\excelmui.xml")) returned 0 [0095.731] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0095.731] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0095.731] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0095.731] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0095.731] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0095.731] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0095.731] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0095.799] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x8f8, lpOverlapped=0x0) returned 1 [0095.886] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0095.886] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x900, lpOverlapped=0x0) returned 1 [0095.886] CloseHandle (hObject=0x78) returned 1 [0095.887] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0095.887] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0095.888] __uncaught_exception () returned 0x70700 [0095.888] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0095.889] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0095.889] ??_V@YAXPAX@Z () returned 0x1 [0095.903] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0095.903] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0095.903] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0095.903] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0095.904] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C") returned 0x3f [0095.904] strlen (_Str="${KEY}") returned 0x6 [0095.904] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0095.904] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0095.904] strlen (_Str="${CODE}") returned 0x7 [0095.904] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0095.904] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0095.904] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0095.904] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0095.905] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0095.905] __uncaught_exception () returned 0x70700 [0095.905] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0095.907] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0095.907] wcsstr (_Str="{90140000-0018-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0095.907] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C") returned 63 [0095.907] wcscmp (_String1=".", _String2="{90140000-0018-0409-0000-0000000FF1CE}-C") returned -1 [0095.907] wcscmp (_String1="..", _String2="{90140000-0018-0409-0000-0000000FF1CE}-C") returned -1 [0095.907] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C") returned 0x3f [0095.907] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\*" [0095.907] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0095.919] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0095.919] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\.") returned 65 [0095.919] wcscmp (_String1=".", _String2=".") returned 0 [0095.919] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0095.919] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0095.919] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\..") returned 66 [0095.919] wcscmp (_String1=".", _String2="..") returned -1 [0095.919] wcscmp (_String1="..", _String2="..") returned 0 [0095.919] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0095.919] wcsstr (_Str="PowerPointMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0095.919] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 81 [0095.919] wcscmp (_String1="PowerPointMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0095.919] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PowerPointMUI.msi") returned 0x0 [0095.919] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 0x51 [0095.919] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0095.920] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0096.110] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.110] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0096.155] CloseHandle (hObject=0x78) returned 1 [0096.198] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0096.198] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0096.198] __uncaught_exception () returned 0x70700 [0096.198] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0096.208] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\powerpointmui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0096.209] ??_V@YAXPAX@Z () returned 0x1 [0096.217] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.msi", dwFileAttributes=0x2000) returned 0 [0096.217] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\powerpointmui.msi")) returned 0 [0096.217] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0096.217] wcsstr (_Str="PowerPointMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0096.217] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 81 [0096.217] wcscmp (_String1="PowerPointMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0096.217] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PowerPointMUI.xml") returned 0x0 [0096.217] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 0x51 [0096.217] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0096.218] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x615, lpOverlapped=0x0) returned 1 [0096.287] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.288] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x620, lpOverlapped=0x0) returned 1 [0096.288] CloseHandle (hObject=0x78) returned 1 [0096.289] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0096.289] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0096.289] __uncaught_exception () returned 0x70700 [0096.289] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0096.292] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\powerpointmui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0096.292] ??_V@YAXPAX@Z () returned 0x1 [0096.298] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.xml", dwFileAttributes=0x2000) returned 0 [0096.299] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0 [0096.299] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0096.299] wcsstr (_Str="PptLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0096.299] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PptLR.cab") returned 73 [0096.299] wcscmp (_String1="PptLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0096.299] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PptLR.cab") returned 0x0 [0096.299] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PptLR.cab") returned 0x49 [0096.299] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0096.300] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0096.517] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0096.517] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0096.531] CloseHandle (hObject=0x78) returned 1 [0097.266] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PptLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0097.267] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0097.267] __uncaught_exception () returned 0x70700 [0097.267] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0097.797] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PptLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\pptlr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0097.797] ??_V@YAXPAX@Z () returned 0x1 [0097.803] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PptLR.cab", dwFileAttributes=0x2000) returned 0 [0097.803] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\pptlr.cab")) returned 0 [0097.803] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0097.804] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0097.804] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0097.804] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0097.804] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0097.804] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0097.804] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0097.924] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x75e, lpOverlapped=0x0) returned 1 [0097.941] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0097.941] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x760, lpOverlapped=0x0) returned 1 [0097.941] CloseHandle (hObject=0x78) returned 1 [0097.942] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0097.942] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0097.942] __uncaught_exception () returned 0x70700 [0097.942] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0097.943] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0097.946] ??_V@YAXPAX@Z () returned 0x1 [0097.952] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0097.952] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0097.952] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0097.952] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0097.952] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C") returned 0x3f [0097.952] strlen (_Str="${KEY}") returned 0x6 [0097.952] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0097.952] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0097.952] strlen (_Str="${CODE}") returned 0x7 [0097.952] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0097.952] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0097.952] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0097.952] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0097.953] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0097.953] __uncaught_exception () returned 0x70700 [0097.953] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0097.954] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0097.954] wcsstr (_Str="{90140000-0019-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0097.954] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C") returned 63 [0097.954] wcscmp (_String1=".", _String2="{90140000-0019-0409-0000-0000000FF1CE}-C") returned -1 [0097.954] wcscmp (_String1="..", _String2="{90140000-0019-0409-0000-0000000FF1CE}-C") returned -1 [0097.954] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C") returned 0x3f [0097.954] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\*" [0097.954] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0097.975] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0097.975] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\.") returned 65 [0097.975] wcscmp (_String1=".", _String2=".") returned 0 [0097.975] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0097.976] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0097.976] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\..") returned 66 [0097.976] wcscmp (_String1=".", _String2="..") returned -1 [0097.976] wcscmp (_String1="..", _String2="..") returned 0 [0097.976] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0097.976] wcsstr (_Str="PublisherMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0097.976] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.msi") returned 80 [0097.976] wcscmp (_String1="PublisherMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0097.976] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PublisherMUI.msi") returned 0x0 [0097.976] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.msi") returned 0x50 [0097.976] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0097.977] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0098.250] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.251] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0098.264] CloseHandle (hObject=0x78) returned 1 [0098.280] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0098.280] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0098.280] __uncaught_exception () returned 0x70700 [0098.280] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0098.289] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publishermui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0098.290] ??_V@YAXPAX@Z () returned 0x1 [0098.299] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.msi", dwFileAttributes=0x2000) returned 0 [0098.300] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publishermui.msi")) returned 0 [0098.300] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0098.300] wcsstr (_Str="PublisherMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0098.300] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.xml") returned 80 [0098.300] wcscmp (_String1="PublisherMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0098.300] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PublisherMUI.xml") returned 0x0 [0098.300] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.xml") returned 0x50 [0098.300] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0098.301] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x5aa, lpOverlapped=0x0) returned 1 [0098.483] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.483] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x5b0, lpOverlapped=0x0) returned 1 [0098.483] CloseHandle (hObject=0x78) returned 1 [0098.484] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0098.485] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0098.485] __uncaught_exception () returned 0x70700 [0098.485] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0098.486] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publishermui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0098.487] ??_V@YAXPAX@Z () returned 0x1 [0098.494] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.xml", dwFileAttributes=0x2000) returned 0 [0098.494] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publishermui.xml")) returned 0 [0098.494] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0098.495] wcsstr (_Str="PubLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0098.495] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PubLR.cab") returned 73 [0098.495] wcscmp (_String1="PubLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0098.495] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PubLR.cab") returned 0x0 [0098.495] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PubLR.cab") returned 0x49 [0098.495] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0098.496] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0098.642] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0098.642] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0098.673] CloseHandle (hObject=0x78) returned 1 [0099.316] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PubLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0099.317] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0099.317] __uncaught_exception () returned 0x70700 [0099.317] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0099.764] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PubLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0099.765] ??_V@YAXPAX@Z () returned 0x1 [0099.773] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PubLR.cab", dwFileAttributes=0x2000) returned 0 [0099.773] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\publr.cab")) returned 0 [0099.773] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0099.773] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0099.773] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0099.773] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0099.773] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0099.773] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0099.773] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0099.791] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x648, lpOverlapped=0x0) returned 1 [0099.950] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0099.950] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x650, lpOverlapped=0x0) returned 1 [0099.950] CloseHandle (hObject=0x78) returned 1 [0099.951] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0099.951] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0099.951] __uncaught_exception () returned 0x70700 [0099.951] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0099.952] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0099.952] ??_V@YAXPAX@Z () returned 0x1 [0099.961] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0099.961] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0099.961] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0099.961] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0099.961] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C") returned 0x3f [0099.961] strlen (_Str="${KEY}") returned 0x6 [0099.961] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0099.961] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0099.962] strlen (_Str="${CODE}") returned 0x7 [0099.962] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0099.962] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0099.962] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0099.962] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0099.962] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0099.962] __uncaught_exception () returned 0x70700 [0099.962] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0099.964] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0099.964] wcsstr (_Str="{90140000-001A-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0099.964] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C") returned 63 [0099.964] wcscmp (_String1=".", _String2="{90140000-001A-0409-0000-0000000FF1CE}-C") returned -1 [0099.964] wcscmp (_String1="..", _String2="{90140000-001A-0409-0000-0000000FF1CE}-C") returned -1 [0099.964] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C") returned 0x3f [0099.964] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\*" [0099.964] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0099.976] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0099.976] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\.") returned 65 [0099.976] wcscmp (_String1=".", _String2=".") returned 0 [0099.976] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0099.976] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0099.976] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\..") returned 66 [0099.976] wcscmp (_String1=".", _String2="..") returned -1 [0099.976] wcscmp (_String1="..", _String2="..") returned 0 [0099.976] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0099.976] wcsstr (_Str="OutlkLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0099.976] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlkLR.cab") returned 75 [0099.976] wcscmp (_String1="OutlkLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0099.976] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OutlkLR.cab") returned 0x0 [0099.976] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlkLR.cab") returned 0x4b [0099.977] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0099.978] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0101.627] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0101.627] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0101.643] CloseHandle (hObject=0x78) returned 1 [0102.471] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlkLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0102.472] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0102.472] __uncaught_exception () returned 0x70700 [0102.472] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0102.932] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlkLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlklr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0102.932] ??_V@YAXPAX@Z () returned 0x1 [0102.939] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlkLR.cab", dwFileAttributes=0x2000) returned 0 [0102.939] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlklr.cab")) returned 0 [0102.939] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0102.939] wcsstr (_Str="OutlookMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0102.939] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.msi") returned 78 [0102.939] wcscmp (_String1="OutlookMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0102.939] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OutlookMUI.msi") returned 0x0 [0102.939] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.msi") returned 0x4e [0102.939] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0102.940] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0103.111] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.112] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0103.151] CloseHandle (hObject=0x78) returned 1 [0103.227] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0103.227] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0103.227] __uncaught_exception () returned 0x70700 [0103.227] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0103.259] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlookmui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0103.259] ??_V@YAXPAX@Z () returned 0x1 [0103.266] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.msi", dwFileAttributes=0x2000) returned 0 [0103.266] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlookmui.msi")) returned 0 [0103.266] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0103.266] wcsstr (_Str="OutlookMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0103.266] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml") returned 78 [0103.266] wcscmp (_String1="OutlookMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0103.266] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OutlookMUI.xml") returned 0x0 [0103.266] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml") returned 0x4e [0103.266] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0103.266] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0xc72, lpOverlapped=0x0) returned 1 [0103.357] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.357] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0xc80, lpOverlapped=0x0) returned 1 [0103.357] CloseHandle (hObject=0x78) returned 1 [0103.358] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0103.358] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0103.358] __uncaught_exception () returned 0x70700 [0103.358] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0103.359] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlookmui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0103.359] ??_V@YAXPAX@Z () returned 0x1 [0103.366] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml", dwFileAttributes=0x2000) returned 0 [0103.366] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\outlookmui.xml")) returned 0 [0103.367] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0103.367] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0103.367] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0103.367] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0103.367] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0103.367] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0103.367] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0103.367] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x106f, lpOverlapped=0x0) returned 1 [0103.392] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.392] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x1070, lpOverlapped=0x0) returned 1 [0103.392] CloseHandle (hObject=0x78) returned 1 [0103.393] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0103.393] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0103.393] __uncaught_exception () returned 0x70700 [0103.394] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0103.395] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0103.396] ??_V@YAXPAX@Z () returned 0x1 [0103.402] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0103.402] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0103.402] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0103.402] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0103.402] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C") returned 0x3f [0103.402] strlen (_Str="${KEY}") returned 0x6 [0103.402] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0103.402] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0103.402] strlen (_Str="${CODE}") returned 0x7 [0103.402] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0103.402] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0103.403] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0103.403] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0103.403] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0103.403] __uncaught_exception () returned 0x70700 [0103.403] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0103.410] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0103.410] wcsstr (_Str="{90140000-001B-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0103.410] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C") returned 63 [0103.410] wcscmp (_String1=".", _String2="{90140000-001B-0409-0000-0000000FF1CE}-C") returned -1 [0103.410] wcscmp (_String1="..", _String2="{90140000-001B-0409-0000-0000000FF1CE}-C") returned -1 [0103.410] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C") returned 0x3f [0103.410] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\*" [0103.410] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0103.410] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0103.410] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\.") returned 65 [0103.410] wcscmp (_String1=".", _String2=".") returned 0 [0103.410] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0103.411] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0103.411] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\..") returned 66 [0103.411] wcscmp (_String1=".", _String2="..") returned -1 [0103.411] wcscmp (_String1="..", _String2="..") returned 0 [0103.411] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0103.411] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0103.411] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0103.411] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0103.411] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0103.411] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0103.411] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0103.432] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x978, lpOverlapped=0x0) returned 1 [0103.552] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.552] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x980, lpOverlapped=0x0) returned 1 [0103.553] CloseHandle (hObject=0x78) returned 1 [0103.554] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0103.554] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0103.554] __uncaught_exception () returned 0x70700 [0103.554] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0103.555] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0103.557] ??_V@YAXPAX@Z () returned 0x1 [0103.566] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0103.566] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0103.567] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0103.567] wcsstr (_Str="WordLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0103.567] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordLR.cab") returned 74 [0103.567] wcscmp (_String1="WordLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0103.567] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="WordLR.cab") returned 0x0 [0103.567] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordLR.cab") returned 0x4a [0103.567] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0103.571] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0103.814] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0103.814] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0103.887] CloseHandle (hObject=0x78) returned 1 [0105.060] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0105.060] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0105.060] __uncaught_exception () returned 0x70700 [0105.061] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0105.581] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordlr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0105.582] ??_V@YAXPAX@Z () returned 0x1 [0105.593] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordLR.cab", dwFileAttributes=0x2000) returned 0 [0105.593] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordlr.cab")) returned 0 [0105.593] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0105.593] wcsstr (_Str="WordMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0105.593] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.msi") returned 75 [0105.593] wcscmp (_String1="WordMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0105.593] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="WordMUI.msi") returned 0x0 [0105.593] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.msi") returned 0x4b [0105.593] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0105.594] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0105.712] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0105.712] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0105.728] CloseHandle (hObject=0x78) returned 1 [0105.756] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0105.756] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0105.756] __uncaught_exception () returned 0x70700 [0105.756] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0105.768] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordmui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0105.769] ??_V@YAXPAX@Z () returned 0x1 [0105.784] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.msi", dwFileAttributes=0x2000) returned 0 [0105.784] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordmui.msi")) returned 0 [0105.785] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0105.785] wcsstr (_Str="WordMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0105.785] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.xml") returned 75 [0105.785] wcscmp (_String1="WordMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0105.785] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="WordMUI.xml") returned 0x0 [0105.785] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.xml") returned 0x4b [0105.785] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0105.785] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x708, lpOverlapped=0x0) returned 1 [0106.104] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.104] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x710, lpOverlapped=0x0) returned 1 [0106.105] CloseHandle (hObject=0x78) returned 1 [0106.105] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0106.106] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0106.106] __uncaught_exception () returned 0x70700 [0106.106] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0106.107] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordmui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0106.108] ??_V@YAXPAX@Z () returned 0x1 [0106.116] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.xml", dwFileAttributes=0x2000) returned 0 [0106.116] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-0000-0000000ff1ce}-c\\wordmui.xml")) returned 0 [0106.116] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0106.116] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0106.116] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C") returned 0x3f [0106.116] strlen (_Str="${KEY}") returned 0x6 [0106.116] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0106.117] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0106.117] strlen (_Str="${CODE}") returned 0x7 [0106.117] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0106.117] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0106.117] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0106.117] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0106.117] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0106.117] __uncaught_exception () returned 0x70700 [0106.117] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0106.119] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0106.119] wcsstr (_Str="{90140000-002C-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0106.120] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C") returned 63 [0106.120] wcscmp (_String1=".", _String2="{90140000-002C-0409-0000-0000000FF1CE}-C") returned -1 [0106.120] wcscmp (_String1="..", _String2="{90140000-002C-0409-0000-0000000FF1CE}-C") returned -1 [0106.120] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C") returned 0x3f [0106.120] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\*" [0106.120] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0106.211] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0106.211] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\.") returned 65 [0106.212] wcscmp (_String1=".", _String2=".") returned 0 [0106.212] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0106.212] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0106.212] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\..") returned 66 [0106.212] wcscmp (_String1=".", _String2="..") returned -1 [0106.212] wcscmp (_String1="..", _String2="..") returned 0 [0106.212] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0106.212] wcsstr (_Str="Proof.en", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0106.212] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en") returned 72 [0106.212] wcscmp (_String1=".", _String2="Proof.en") returned -1 [0106.212] wcscmp (_String1="..", _String2="Proof.en") returned -1 [0106.212] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en") returned 0x48 [0106.212] wcscat (in: _Dest=0x1ae470, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\*" [0106.212] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0x44e3e8 [0106.213] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0106.213] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\.") returned 74 [0106.213] wcscmp (_String1=".", _String2=".") returned 0 [0106.213] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0106.213] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0106.213] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\..") returned 75 [0106.213] wcscmp (_String1=".", _String2="..") returned -1 [0106.213] wcscmp (_String1="..", _String2="..") returned 0 [0106.213] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0106.213] wcsstr (_Str="Proof.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0106.213] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 82 [0106.213] wcscmp (_String1="Proof.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0106.213] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.cab") returned 0x0 [0106.213] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 0x52 [0106.213] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0106.214] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0106.546] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0106.546] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0106.873] CloseHandle (hObject=0x80) returned 1 [0107.688] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0107.688] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0107.688] __uncaught_exception () returned 0x70700 [0107.688] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0108.282] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.cab.[rmail@rmail.cc].rmaile")) returned 1 [0108.283] ??_V@YAXPAX@Z () returned 0x1 [0108.289] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.cab", dwFileAttributes=0x2000) returned 0 [0108.289] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0 [0108.289] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0108.289] wcsstr (_Str="Proof.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0108.289] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 82 [0108.289] wcscmp (_String1="Proof.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0108.289] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.msi") returned 0x0 [0108.290] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 0x52 [0108.290] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0108.290] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xa0600, lpOverlapped=0x0) returned 1 [0108.518] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.518] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xa0610, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xa0610, lpOverlapped=0x0) returned 1 [0108.520] CloseHandle (hObject=0x80) returned 1 [0108.524] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0108.524] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0108.524] __uncaught_exception () returned 0x70700 [0108.524] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0108.529] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.msi.[rmail@rmail.cc].rmaile")) returned 1 [0108.530] ??_V@YAXPAX@Z () returned 0x1 [0108.536] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.msi", dwFileAttributes=0x2000) returned 0 [0108.536] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0 [0108.536] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0108.536] wcsstr (_Str="Proof.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0108.536] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 82 [0108.536] wcscmp (_String1="Proof.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0108.536] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.xml") returned 0x0 [0108.536] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 0x52 [0108.536] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0108.537] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x543, lpOverlapped=0x0) returned 1 [0108.572] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.572] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x550, lpOverlapped=0x0) returned 1 [0108.572] CloseHandle (hObject=0x80) returned 1 [0108.573] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0108.573] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0108.573] __uncaught_exception () returned 0x70700 [0108.573] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0108.574] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.xml.[rmail@rmail.cc].rmaile")) returned 1 [0108.576] ??_V@YAXPAX@Z () returned 0x1 [0108.582] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.xml", dwFileAttributes=0x2000) returned 0 [0108.582] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0 [0108.583] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0 [0108.583] FindClose (in: hFindFile=0x44e3e8 | out: hFindFile=0x44e3e8) returned 1 [0108.583] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en") returned 0x48 [0108.583] strlen (_Str="${KEY}") returned 0x6 [0108.583] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0108.583] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0108.583] strlen (_Str="${CODE}") returned 0x7 [0108.583] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0108.583] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0108.583] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0108.583] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0108.583] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0108.583] __uncaught_exception () returned 0x70700 [0108.583] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0108.587] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0108.587] wcsstr (_Str="Proof.es", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0108.587] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es") returned 72 [0108.587] wcscmp (_String1=".", _String2="Proof.es") returned -1 [0108.587] wcscmp (_String1="..", _String2="Proof.es") returned -1 [0108.587] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es") returned 0x48 [0108.587] wcscat (in: _Dest=0x1ae470, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\*" [0108.587] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0x44e3e8 [0108.588] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0108.588] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\.") returned 74 [0108.588] wcscmp (_String1=".", _String2=".") returned 0 [0108.588] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0108.588] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0108.588] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\..") returned 75 [0108.588] wcscmp (_String1=".", _String2="..") returned -1 [0108.588] wcscmp (_String1="..", _String2="..") returned 0 [0108.588] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0108.588] wcsstr (_Str="Proof.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0108.588] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 82 [0108.588] wcscmp (_String1="Proof.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0108.588] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.cab") returned 0x0 [0108.588] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 0x52 [0108.588] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0108.589] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0108.711] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0108.711] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0108.726] CloseHandle (hObject=0x80) returned 1 [0109.373] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0109.373] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0109.373] __uncaught_exception () returned 0x70700 [0109.373] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0109.642] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.cab.[rmail@rmail.cc].rmaile")) returned 1 [0109.643] ??_V@YAXPAX@Z () returned 0x1 [0109.650] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.cab", dwFileAttributes=0x2000) returned 0 [0109.650] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0 [0109.650] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0109.650] wcsstr (_Str="Proof.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0109.650] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 82 [0109.650] wcscmp (_String1="Proof.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0109.650] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.msi") returned 0x0 [0109.650] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 0x52 [0109.650] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0109.650] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xa1e00, lpOverlapped=0x0) returned 1 [0109.766] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.767] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xa1e10, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xa1e10, lpOverlapped=0x0) returned 1 [0109.770] CloseHandle (hObject=0x80) returned 1 [0109.770] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0109.770] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0109.770] __uncaught_exception () returned 0x70700 [0109.770] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0109.771] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.msi.[rmail@rmail.cc].rmaile")) returned 1 [0109.772] ??_V@YAXPAX@Z () returned 0x1 [0109.780] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.msi", dwFileAttributes=0x2000) returned 0 [0109.780] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0 [0109.780] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0109.780] wcsstr (_Str="Proof.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0109.780] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 82 [0109.780] wcscmp (_String1="Proof.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0109.780] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.xml") returned 0x0 [0109.781] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 0x52 [0109.781] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0109.781] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x5b1, lpOverlapped=0x0) returned 1 [0109.795] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.795] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x5c0, lpOverlapped=0x0) returned 1 [0109.795] CloseHandle (hObject=0x80) returned 1 [0109.795] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0109.795] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0109.795] __uncaught_exception () returned 0x70700 [0109.795] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0109.796] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.xml.[rmail@rmail.cc].rmaile")) returned 1 [0109.797] ??_V@YAXPAX@Z () returned 0x1 [0109.804] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.xml", dwFileAttributes=0x2000) returned 0 [0109.804] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0 [0109.804] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0 [0109.804] FindClose (in: hFindFile=0x44e3e8 | out: hFindFile=0x44e3e8) returned 1 [0109.805] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es") returned 0x48 [0109.805] strlen (_Str="${KEY}") returned 0x6 [0109.805] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0109.805] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0109.805] strlen (_Str="${CODE}") returned 0x7 [0109.805] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0109.805] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0109.805] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0109.805] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0109.805] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0109.805] __uncaught_exception () returned 0x70700 [0109.805] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0109.806] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0109.806] wcsstr (_Str="Proof.fr", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0109.806] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr") returned 72 [0109.806] wcscmp (_String1=".", _String2="Proof.fr") returned -1 [0109.806] wcscmp (_String1="..", _String2="Proof.fr") returned -1 [0109.806] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr") returned 0x48 [0109.806] wcscat (in: _Dest=0x1ae470, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\*" [0109.806] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0x44e3e8 [0109.807] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0109.807] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\.") returned 74 [0109.807] wcscmp (_String1=".", _String2=".") returned 0 [0109.807] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0109.807] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0109.807] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\..") returned 75 [0109.807] wcscmp (_String1=".", _String2="..") returned -1 [0109.807] wcscmp (_String1="..", _String2="..") returned 0 [0109.807] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0109.807] wcsstr (_Str="Proof.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0109.807] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 82 [0109.807] wcscmp (_String1="Proof.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0109.807] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.cab") returned 0x0 [0109.807] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 0x52 [0109.807] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0109.807] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0109.945] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0109.945] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0110.267] CloseHandle (hObject=0x80) returned 1 [0110.268] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0110.268] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0110.268] __uncaught_exception () returned 0x70700 [0110.268] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0110.281] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.cab.[rmail@rmail.cc].rmaile")) returned 1 [0110.281] ??_V@YAXPAX@Z () returned 0x1 [0110.296] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", dwFileAttributes=0x2000) returned 0 [0110.296] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0 [0110.296] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0110.296] wcsstr (_Str="Proof.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0110.296] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 82 [0110.296] wcscmp (_String1="Proof.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0110.296] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.msi") returned 0x0 [0110.296] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 0x52 [0110.296] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0110.297] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xa3000, lpOverlapped=0x0) returned 1 [0110.846] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.846] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xa3010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xa3010, lpOverlapped=0x0) returned 1 [0110.848] CloseHandle (hObject=0x80) returned 1 [0110.849] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0110.849] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0110.849] __uncaught_exception () returned 0x70700 [0110.849] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0110.849] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.msi.[rmail@rmail.cc].rmaile")) returned 1 [0110.850] ??_V@YAXPAX@Z () returned 0x1 [0110.856] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", dwFileAttributes=0x2000) returned 0 [0110.856] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0 [0110.856] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0110.856] wcsstr (_Str="Proof.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0110.856] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 82 [0110.856] wcscmp (_String1="Proof.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0110.856] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proof.xml") returned 0x0 [0110.856] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 0x52 [0110.856] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0110.857] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x5b2, lpOverlapped=0x0) returned 1 [0110.962] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0110.962] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x5c0, lpOverlapped=0x0) returned 1 [0110.962] CloseHandle (hObject=0x80) returned 1 [0110.962] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0110.962] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0110.962] __uncaught_exception () returned 0x70700 [0110.962] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0110.963] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.xml.[rmail@rmail.cc].rmaile")) returned 1 [0110.964] ??_V@YAXPAX@Z () returned 0x1 [0110.972] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.xml", dwFileAttributes=0x2000) returned 0 [0110.972] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0 [0110.972] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0 [0110.972] FindClose (in: hFindFile=0x44e3e8 | out: hFindFile=0x44e3e8) returned 1 [0110.973] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr") returned 0x48 [0110.973] strlen (_Str="${KEY}") returned 0x6 [0110.973] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0110.973] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0110.973] strlen (_Str="${CODE}") returned 0x7 [0110.973] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0110.973] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0110.973] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0110.973] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0110.973] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0110.973] __uncaught_exception () returned 0x70700 [0110.973] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0110.979] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0110.979] wcsstr (_Str="Proofing.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0110.980] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.msi") returned 76 [0110.980] wcscmp (_String1="Proofing.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0110.980] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proofing.msi") returned 0x0 [0110.980] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.msi") returned 0x4c [0110.980] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0110.980] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x9ec00, lpOverlapped=0x0) returned 1 [0111.421] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.421] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x9ec10, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x9ec10, lpOverlapped=0x0) returned 1 [0111.424] CloseHandle (hObject=0x78) returned 1 [0111.424] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0111.424] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0111.424] __uncaught_exception () returned 0x70700 [0111.424] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0111.424] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proofing.msi.[rmail@rmail.cc].rmaile")) returned 1 [0111.425] ??_V@YAXPAX@Z () returned 0x1 [0111.431] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.msi", dwFileAttributes=0x2000) returned 0 [0111.431] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proofing.msi")) returned 0 [0111.431] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0111.431] wcsstr (_Str="Proofing.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0111.431] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.xml") returned 76 [0111.431] wcscmp (_String1="Proofing.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0111.431] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Proofing.xml") returned 0x0 [0111.431] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.xml") returned 0x4c [0111.431] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0111.432] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x32b, lpOverlapped=0x0) returned 1 [0111.626] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0111.637] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x330, lpOverlapped=0x0) returned 1 [0111.638] CloseHandle (hObject=0x78) returned 1 [0111.641] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0111.641] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0111.641] __uncaught_exception () returned 0x70700 [0111.642] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0111.642] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proofing.xml.[rmail@rmail.cc].rmaile")) returned 1 [0111.648] ??_V@YAXPAX@Z () returned 0x1 [0111.667] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.xml", dwFileAttributes=0x2000) returned 0 [0111.667] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\proofing.xml")) returned 0 [0111.667] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0111.667] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0111.667] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0111.667] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0111.667] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0111.667] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0111.667] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0111.668] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x16fc, lpOverlapped=0x0) returned 1 [0112.014] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0112.014] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x1700, lpOverlapped=0x0) returned 1 [0112.015] CloseHandle (hObject=0x78) returned 1 [0112.015] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0112.015] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0112.015] __uncaught_exception () returned 0x70700 [0112.015] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0112.016] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0112.032] ??_V@YAXPAX@Z () returned 0x1 [0112.047] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0112.047] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0112.047] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0112.047] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0112.047] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C") returned 0x3f [0112.047] strlen (_Str="${KEY}") returned 0x6 [0112.047] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0112.047] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0112.048] strlen (_Str="${CODE}") returned 0x7 [0112.048] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0112.048] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0112.048] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0112.048] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0112.048] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0112.048] __uncaught_exception () returned 0x70700 [0112.048] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0112.074] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0112.074] wcsstr (_Str="{90140000-0044-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0112.074] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C") returned 63 [0112.074] wcscmp (_String1=".", _String2="{90140000-0044-0409-0000-0000000FF1CE}-C") returned -1 [0112.074] wcscmp (_String1="..", _String2="{90140000-0044-0409-0000-0000000FF1CE}-C") returned -1 [0112.074] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C") returned 0x3f [0112.074] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\*" [0112.074] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0113.097] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0113.097] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\.") returned 65 [0113.097] wcscmp (_String1=".", _String2=".") returned 0 [0113.097] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0113.098] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0113.098] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\..") returned 66 [0113.098] wcscmp (_String1=".", _String2="..") returned -1 [0113.098] wcscmp (_String1="..", _String2="..") returned 0 [0113.098] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0113.098] wcsstr (_Str="InfLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0113.098] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfLR.cab") returned 73 [0113.098] wcscmp (_String1="InfLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0113.098] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="InfLR.cab") returned 0x0 [0113.098] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfLR.cab") returned 0x49 [0113.098] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0113.098] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0113.786] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0113.786] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0113.947] CloseHandle (hObject=0x78) returned 1 [0113.947] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0113.947] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0113.947] __uncaught_exception () returned 0x70700 [0113.947] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0113.949] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\inflr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0113.950] ??_V@YAXPAX@Z () returned 0x1 [0113.956] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfLR.cab", dwFileAttributes=0x2000) returned 0 [0113.958] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\inflr.cab")) returned 0 [0113.958] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0113.958] wcsstr (_Str="InfoPathMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0113.958] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 79 [0113.958] wcscmp (_String1="InfoPathMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0113.958] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="InfoPathMUI.msi") returned 0x0 [0113.958] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 0x4f [0113.959] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0113.967] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0114.146] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.146] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0114.162] CloseHandle (hObject=0x78) returned 1 [0114.162] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0114.162] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0114.162] __uncaught_exception () returned 0x70700 [0114.162] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0114.172] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\infopathmui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0114.173] ??_V@YAXPAX@Z () returned 0x1 [0114.181] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.msi", dwFileAttributes=0x2000) returned 0 [0114.181] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\infopathmui.msi")) returned 0 [0114.181] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0114.181] wcsstr (_Str="InfoPathMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0114.181] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 79 [0114.181] wcscmp (_String1="InfoPathMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0114.181] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="InfoPathMUI.xml") returned 0x0 [0114.181] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 0x4f [0114.181] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0114.182] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x4cf, lpOverlapped=0x0) returned 1 [0114.334] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.334] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4d0, lpOverlapped=0x0) returned 1 [0114.334] CloseHandle (hObject=0x78) returned 1 [0114.335] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0114.335] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0114.335] __uncaught_exception () returned 0x70700 [0114.335] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0114.335] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\infopathmui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0114.336] ??_V@YAXPAX@Z () returned 0x1 [0114.346] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.xml", dwFileAttributes=0x2000) returned 0 [0114.346] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\infopathmui.xml")) returned 0 [0114.346] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0114.346] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0114.346] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0114.346] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0114.346] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0114.346] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0114.346] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0114.347] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x73c, lpOverlapped=0x0) returned 1 [0114.380] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.380] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x740, lpOverlapped=0x0) returned 1 [0114.380] CloseHandle (hObject=0x78) returned 1 [0114.380] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0114.380] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0114.380] __uncaught_exception () returned 0x70700 [0114.380] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0114.381] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0114.381] ??_V@YAXPAX@Z () returned 0x1 [0114.387] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0114.388] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0114.388] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0114.388] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0114.388] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C") returned 0x3f [0114.388] strlen (_Str="${KEY}") returned 0x6 [0114.388] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0114.388] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0114.388] strlen (_Str="${CODE}") returned 0x7 [0114.388] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0114.388] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0114.388] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0114.388] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0114.389] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0114.389] __uncaught_exception () returned 0x70700 [0114.389] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0114.390] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0114.390] wcsstr (_Str="{90140000-0054-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0114.390] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C") returned 63 [0114.390] wcscmp (_String1=".", _String2="{90140000-0054-0409-0000-0000000FF1CE}-C") returned -1 [0114.390] wcscmp (_String1="..", _String2="{90140000-0054-0409-0000-0000000FF1CE}-C") returned -1 [0114.390] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C") returned 0x3f [0114.390] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\*" [0114.390] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0114.395] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0114.395] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\.") returned 65 [0114.395] wcscmp (_String1=".", _String2=".") returned 0 [0114.395] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0114.395] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0114.395] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\..") returned 66 [0114.395] wcscmp (_String1=".", _String2="..") returned -1 [0114.395] wcscmp (_String1="..", _String2="..") returned 0 [0114.395] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0114.395] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0114.395] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0114.395] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0114.395] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0114.395] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0114.395] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0114.396] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x1861, lpOverlapped=0x0) returned 1 [0114.430] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0114.430] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x1870, lpOverlapped=0x0) returned 1 [0114.430] CloseHandle (hObject=0x78) returned 1 [0114.431] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0114.431] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0114.431] __uncaught_exception () returned 0x70700 [0114.431] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0114.431] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0114.433] ??_V@YAXPAX@Z () returned 0x1 [0114.439] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0114.440] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0114.440] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0114.440] wcsstr (_Str="VisioLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0114.440] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioLR.cab") returned 75 [0114.440] wcscmp (_String1="VisioLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0114.440] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="VisioLR.cab") returned 0x0 [0114.440] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioLR.cab") returned 0x4b [0114.440] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0114.440] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0116.231] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.231] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0116.250] CloseHandle (hObject=0x78) returned 1 [0116.250] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0116.250] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0116.250] __uncaught_exception () returned 0x70700 [0116.250] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0116.414] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiolr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0116.414] ??_V@YAXPAX@Z () returned 0x1 [0116.421] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioLR.cab", dwFileAttributes=0x2000) returned 0 [0116.422] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiolr.cab")) returned 0 [0116.422] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0116.422] wcsstr (_Str="VisioMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0116.422] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.msi") returned 76 [0116.422] wcscmp (_String1="VisioMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0116.422] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="VisioMUI.msi") returned 0x0 [0116.422] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.msi") returned 0x4c [0116.422] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0116.422] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0116.858] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0116.859] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0116.875] CloseHandle (hObject=0x78) returned 1 [0116.875] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0116.876] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0116.876] __uncaught_exception () returned 0x70700 [0116.876] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0116.876] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiomui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0116.876] ??_V@YAXPAX@Z () returned 0x1 [0116.883] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.msi", dwFileAttributes=0x2000) returned 0 [0116.883] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiomui.msi")) returned 0 [0116.883] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0116.883] wcsstr (_Str="VisioMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0116.883] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.xml") returned 76 [0116.883] wcscmp (_String1="VisioMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0116.883] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="VisioMUI.xml") returned 0x0 [0116.883] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.xml") returned 0x4c [0116.883] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0116.884] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x251e, lpOverlapped=0x0) returned 1 [0117.014] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.014] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x2520, lpOverlapped=0x0) returned 1 [0117.014] CloseHandle (hObject=0x78) returned 1 [0117.014] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0117.014] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0117.014] __uncaught_exception () returned 0x70700 [0117.014] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0117.015] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiomui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0117.015] ??_V@YAXPAX@Z () returned 0x1 [0117.022] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.xml", dwFileAttributes=0x2000) returned 0 [0117.022] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-0000-0000000ff1ce}-c\\visiomui.xml")) returned 0 [0117.022] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0117.022] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0117.023] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C") returned 0x3f [0117.023] strlen (_Str="${KEY}") returned 0x6 [0117.023] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0117.023] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0117.023] strlen (_Str="${CODE}") returned 0x7 [0117.023] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0117.023] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0117.023] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0117.023] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0054-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0117.024] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0117.024] __uncaught_exception () returned 0x70700 [0117.024] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0117.028] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0117.028] wcsstr (_Str="{90140000-00A1-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0117.028] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C") returned 63 [0117.028] wcscmp (_String1=".", _String2="{90140000-00A1-0409-0000-0000000FF1CE}-C") returned -1 [0117.028] wcscmp (_String1="..", _String2="{90140000-00A1-0409-0000-0000000FF1CE}-C") returned -1 [0117.028] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C") returned 0x3f [0117.028] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\*" [0117.028] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0117.159] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0117.159] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\.") returned 65 [0117.159] wcscmp (_String1=".", _String2=".") returned 0 [0117.159] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0117.159] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0117.159] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\..") returned 66 [0117.159] wcscmp (_String1=".", _String2="..") returned -1 [0117.159] wcscmp (_String1="..", _String2="..") returned 0 [0117.160] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0117.160] wcsstr (_Str="OneNoteMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0117.160] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 78 [0117.160] wcscmp (_String1="OneNoteMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0117.160] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OneNoteMUI.msi") returned 0x0 [0117.160] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 0x4e [0117.160] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0117.160] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0117.748] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.748] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0117.762] CloseHandle (hObject=0x78) returned 1 [0117.762] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0117.762] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0117.762] __uncaught_exception () returned 0x70700 [0117.762] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0117.763] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onenotemui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0117.763] ??_V@YAXPAX@Z () returned 0x1 [0117.769] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.msi", dwFileAttributes=0x2000) returned 0 [0117.769] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onenotemui.msi")) returned 0 [0117.769] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0117.769] wcsstr (_Str="OneNoteMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0117.769] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 78 [0117.769] wcscmp (_String1="OneNoteMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0117.769] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OneNoteMUI.xml") returned 0x0 [0117.769] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 0x4e [0117.769] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0117.770] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x646, lpOverlapped=0x0) returned 1 [0117.884] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0117.884] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x650, lpOverlapped=0x0) returned 1 [0117.885] CloseHandle (hObject=0x78) returned 1 [0117.885] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0117.885] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0117.885] __uncaught_exception () returned 0x70700 [0117.885] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0117.885] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onenotemui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0117.886] ??_V@YAXPAX@Z () returned 0x1 [0117.896] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.xml", dwFileAttributes=0x2000) returned 0 [0117.896] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onenotemui.xml")) returned 0 [0117.896] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0117.896] wcsstr (_Str="OnoteLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0117.897] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OnoteLR.cab") returned 75 [0117.897] wcscmp (_String1="OnoteLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0117.897] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OnoteLR.cab") returned 0x0 [0117.897] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OnoteLR.cab") returned 0x4b [0117.897] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0117.897] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0118.112] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.112] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0118.135] CloseHandle (hObject=0x78) returned 1 [0118.164] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OnoteLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0118.164] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0118.164] __uncaught_exception () returned 0x70700 [0118.164] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0118.172] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OnoteLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onotelr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0118.172] ??_V@YAXPAX@Z () returned 0x1 [0118.178] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OnoteLR.cab", dwFileAttributes=0x2000) returned 0 [0118.178] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\onotelr.cab")) returned 0 [0118.178] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0118.178] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0118.178] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0118.178] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0118.178] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0118.179] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0118.179] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0118.179] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x7c4, lpOverlapped=0x0) returned 1 [0118.339] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.339] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x7d0, lpOverlapped=0x0) returned 1 [0118.339] CloseHandle (hObject=0x78) returned 1 [0118.339] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0118.339] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0118.339] __uncaught_exception () returned 0x70700 [0118.340] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0118.340] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0118.340] ??_V@YAXPAX@Z () returned 0x1 [0118.346] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0118.347] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0118.347] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0118.347] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0118.347] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C") returned 0x3f [0118.347] strlen (_Str="${KEY}") returned 0x6 [0118.347] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0118.347] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0118.347] strlen (_Str="${CODE}") returned 0x7 [0118.347] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0118.347] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0118.347] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0118.347] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0118.347] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0118.347] __uncaught_exception () returned 0x70700 [0118.347] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0118.349] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0118.349] wcsstr (_Str="{90140000-00B4-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0118.349] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C") returned 63 [0118.349] wcscmp (_String1=".", _String2="{90140000-00B4-0409-0000-0000000FF1CE}-C") returned -1 [0118.349] wcscmp (_String1="..", _String2="{90140000-00B4-0409-0000-0000000FF1CE}-C") returned -1 [0118.349] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C") returned 0x3f [0118.349] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\*" [0118.349] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0118.350] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0118.350] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\.") returned 65 [0118.351] wcscmp (_String1=".", _String2=".") returned 0 [0118.351] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0118.351] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0118.351] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\..") returned 66 [0118.351] wcscmp (_String1=".", _String2="..") returned -1 [0118.351] wcscmp (_String1="..", _String2="..") returned 0 [0118.351] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0118.351] wcsstr (_Str="ProjectMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0118.351] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.msi") returned 78 [0118.351] wcscmp (_String1="ProjectMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0118.351] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ProjectMUI.msi") returned 0x0 [0118.351] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.msi") returned 0x4e [0118.351] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0118.352] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0118.531] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.531] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0118.610] CloseHandle (hObject=0x78) returned 1 [0118.610] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0118.611] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0118.611] __uncaught_exception () returned 0x70700 [0118.611] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0118.611] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projectmui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0118.611] ??_V@YAXPAX@Z () returned 0x1 [0118.617] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.msi", dwFileAttributes=0x2000) returned 0 [0118.617] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projectmui.msi")) returned 0 [0118.618] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0118.618] wcsstr (_Str="ProjectMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0118.618] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.xml") returned 78 [0118.618] wcscmp (_String1="ProjectMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0118.618] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ProjectMUI.xml") returned 0x0 [0118.618] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.xml") returned 0x4e [0118.618] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0118.618] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x5ab, lpOverlapped=0x0) returned 1 [0118.656] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0118.656] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x5b0, lpOverlapped=0x0) returned 1 [0118.656] CloseHandle (hObject=0x78) returned 1 [0118.656] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0118.656] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0118.656] __uncaught_exception () returned 0x70700 [0118.656] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0118.657] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projectmui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0118.657] ??_V@YAXPAX@Z () returned 0x1 [0118.663] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.xml", dwFileAttributes=0x2000) returned 0 [0118.663] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projectmui.xml")) returned 0 [0118.663] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0118.664] wcsstr (_Str="ProjLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0118.664] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjLR.cab") returned 74 [0118.664] wcscmp (_String1="ProjLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0118.664] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ProjLR.cab") returned 0x0 [0118.664] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjLR.cab") returned 0x4a [0118.664] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0118.664] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0119.277] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.278] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0119.325] CloseHandle (hObject=0x78) returned 1 [0119.325] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0119.326] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0119.326] __uncaught_exception () returned 0x70700 [0119.326] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0119.379] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projlr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0119.379] ??_V@YAXPAX@Z () returned 0x1 [0119.385] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjLR.cab", dwFileAttributes=0x2000) returned 0 [0119.385] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\projlr.cab")) returned 0 [0119.385] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0119.385] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0119.386] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0119.386] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0119.386] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0119.386] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0119.386] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0119.399] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x750, lpOverlapped=0x0) returned 1 [0119.484] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.484] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x760, lpOverlapped=0x0) returned 1 [0119.484] CloseHandle (hObject=0x78) returned 1 [0119.484] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0119.484] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0119.484] __uncaught_exception () returned 0x70700 [0119.484] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0119.485] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0119.485] ??_V@YAXPAX@Z () returned 0x1 [0119.491] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0119.491] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0119.491] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0119.491] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0119.491] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C") returned 0x3f [0119.492] strlen (_Str="${KEY}") returned 0x6 [0119.492] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0119.492] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0119.492] strlen (_Str="${CODE}") returned 0x7 [0119.492] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0119.492] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0119.492] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0119.492] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00B4-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0119.492] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0119.492] __uncaught_exception () returned 0x70700 [0119.492] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0119.493] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0119.493] wcsstr (_Str="{90140000-00BA-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0119.493] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C") returned 63 [0119.494] wcscmp (_String1=".", _String2="{90140000-00BA-0409-0000-0000000FF1CE}-C") returned -1 [0119.494] wcscmp (_String1="..", _String2="{90140000-00BA-0409-0000-0000000FF1CE}-C") returned -1 [0119.494] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C") returned 0x3f [0119.494] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\*" [0119.494] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0119.495] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0119.495] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\.") returned 65 [0119.495] wcscmp (_String1=".", _String2=".") returned 0 [0119.495] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0119.495] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0119.495] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\..") returned 66 [0119.495] wcscmp (_String1=".", _String2="..") returned -1 [0119.495] wcscmp (_String1="..", _String2="..") returned 0 [0119.495] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0119.495] wcsstr (_Str="GrooveLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0119.495] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveLR.cab") returned 76 [0119.495] wcscmp (_String1="GrooveLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0119.496] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="GrooveLR.cab") returned 0x0 [0119.496] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveLR.cab") returned 0x4c [0119.496] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0119.496] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0119.915] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0119.916] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0119.930] CloseHandle (hObject=0x78) returned 1 [0119.930] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0119.930] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0119.930] __uncaught_exception () returned 0x70700 [0119.930] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0119.942] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovelr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0119.943] ??_V@YAXPAX@Z () returned 0x1 [0119.959] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveLR.cab", dwFileAttributes=0x2000) returned 0 [0119.960] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovelr.cab")) returned 0 [0119.960] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0119.960] wcsstr (_Str="GrooveMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0119.960] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.msi") returned 77 [0119.960] wcscmp (_String1="GrooveMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0119.960] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="GrooveMUI.msi") returned 0x0 [0119.960] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.msi") returned 0x4d [0119.960] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0119.960] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0120.356] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.356] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0120.372] CloseHandle (hObject=0x78) returned 1 [0120.372] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0120.372] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0120.372] __uncaught_exception () returned 0x70700 [0120.372] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0120.373] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovemui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0120.373] ??_V@YAXPAX@Z () returned 0x1 [0120.628] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.msi", dwFileAttributes=0x2000) returned 0 [0120.628] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovemui.msi")) returned 0 [0120.628] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0120.628] wcsstr (_Str="GrooveMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.628] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.xml") returned 77 [0120.628] wcscmp (_String1="GrooveMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0120.628] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="GrooveMUI.xml") returned 0x0 [0120.628] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.xml") returned 0x4d [0120.628] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0120.628] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x391, lpOverlapped=0x0) returned 1 [0120.735] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.735] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x3a0, lpOverlapped=0x0) returned 1 [0120.735] CloseHandle (hObject=0x78) returned 1 [0120.735] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0120.735] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0120.735] __uncaught_exception () returned 0x70700 [0120.735] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0120.736] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovemui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0120.736] ??_V@YAXPAX@Z () returned 0x1 [0120.742] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.xml", dwFileAttributes=0x2000) returned 0 [0120.742] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\groovemui.xml")) returned 0 [0120.742] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0120.742] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.742] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0120.742] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0120.742] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0120.742] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0120.742] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0120.743] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x5ac, lpOverlapped=0x0) returned 1 [0120.758] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.758] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x5b0, lpOverlapped=0x0) returned 1 [0120.758] CloseHandle (hObject=0x78) returned 1 [0120.758] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0120.758] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0120.759] __uncaught_exception () returned 0x70700 [0120.759] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0120.759] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0120.759] ??_V@YAXPAX@Z () returned 0x1 [0120.767] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0120.767] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0120.767] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0120.767] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0120.767] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C") returned 0x3f [0120.767] strlen (_Str="${KEY}") returned 0x6 [0120.767] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0120.767] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0120.767] strlen (_Str="${CODE}") returned 0x7 [0120.767] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0120.767] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0120.768] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0120.768] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0120.768] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0120.768] __uncaught_exception () returned 0x70700 [0120.768] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0120.770] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0120.770] wcsstr (_Str="{90140000-0115-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.770] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C") returned 63 [0120.770] wcscmp (_String1=".", _String2="{90140000-0115-0409-0000-0000000FF1CE}-C") returned -1 [0120.770] wcscmp (_String1="..", _String2="{90140000-0115-0409-0000-0000000FF1CE}-C") returned -1 [0120.770] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C") returned 0x3f [0120.770] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\*" [0120.770] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0120.798] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.798] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\.") returned 65 [0120.798] wcscmp (_String1=".", _String2=".") returned 0 [0120.798] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0120.798] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.798] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\..") returned 66 [0120.798] wcscmp (_String1=".", _String2="..") returned -1 [0120.798] wcscmp (_String1="..", _String2="..") returned 0 [0120.798] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0120.799] wcsstr (_Str="1033", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.799] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033") returned 68 [0120.799] wcscmp (_String1=".", _String2="1033") returned -1 [0120.799] wcscmp (_String1="..", _String2="1033") returned -1 [0120.799] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033") returned 0x44 [0120.799] wcscat (in: _Dest=0x1ae470, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\*" [0120.799] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0x44e3e8 [0120.800] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.800] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\.") returned 70 [0120.800] wcscmp (_String1=".", _String2=".") returned 0 [0120.800] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0120.800] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.800] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\..") returned 71 [0120.800] wcscmp (_String1=".", _String2="..") returned -1 [0120.800] wcscmp (_String1="..", _String2="..") returned 0 [0120.800] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0120.800] wcsstr (_Str="dwintl20.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.800] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 81 [0120.800] wcscmp (_String1="dwintl20.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0120.801] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="dwintl20.dll") returned 0x0 [0120.801] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 0x51 [0120.801] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0120.801] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x1a588, lpOverlapped=0x0) returned 1 [0120.935] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0120.935] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x1a590, lpOverlapped=0x0) returned 1 [0120.935] CloseHandle (hObject=0x80) returned 1 [0120.935] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwintl20.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0120.936] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0120.936] __uncaught_exception () returned 0x70700 [0120.936] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0120.955] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwintl20.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\1033\\dwintl20.dll.[rmail@rmail.cc].rmaile")) returned 1 [0120.955] ??_V@YAXPAX@Z () returned 0x1 [0120.961] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwintl20.dll", dwFileAttributes=0x2000) returned 0 [0120.961] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0 [0120.961] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0 [0120.961] FindClose (in: hFindFile=0x44e3e8 | out: hFindFile=0x44e3e8) returned 1 [0120.961] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033") returned 0x44 [0120.962] strlen (_Str="${KEY}") returned 0x6 [0120.962] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0120.962] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0120.962] strlen (_Str="${CODE}") returned 0x7 [0120.962] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0120.962] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0120.962] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0120.962] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0120.963] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0120.963] __uncaught_exception () returned 0x70700 [0120.963] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0120.964] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0120.964] wcsstr (_Str="branding.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0120.964] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml") returned 76 [0120.964] wcscmp (_String1="branding.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0120.964] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="branding.xml") returned 0x0 [0120.964] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml") returned 0x4c [0120.964] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0120.965] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x91975, lpOverlapped=0x0) returned 1 [0121.134] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.134] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x91980, lpOverlapped=0x0) returned 1 [0121.136] CloseHandle (hObject=0x78) returned 1 [0121.137] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0121.137] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0121.137] __uncaught_exception () returned 0x70700 [0121.137] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0121.138] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\branding.xml.[rmail@rmail.cc].rmaile")) returned 1 [0121.138] ??_V@YAXPAX@Z () returned 0x1 [0121.146] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml", dwFileAttributes=0x2000) returned 0 [0121.146] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\branding.xml")) returned 0 [0121.146] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0121.146] wcsstr (_Str="DW20.EXE", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0121.146] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE") returned 72 [0121.146] wcscmp (_String1="DW20.EXE", _String2="!=How_recovery_files=!.txt") returned 1 [0121.146] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DW20.EXE") returned 0x0 [0121.146] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE") returned 0x48 [0121.147] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0121.147] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0xccb88, lpOverlapped=0x0) returned 1 [0121.352] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.352] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0xccb90, lpOverlapped=0x0) returned 1 [0121.355] CloseHandle (hObject=0x78) returned 1 [0121.356] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE", _Mode="a", _ShFlag=64) returned 0x76b32960 [0121.356] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0121.356] __uncaught_exception () returned 0x70700 [0121.356] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0121.356] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dw20.exe.[rmail@rmail.cc].rmaile")) returned 1 [0121.357] ??_V@YAXPAX@Z () returned 0x1 [0121.365] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE", dwFileAttributes=0x2000) returned 0 [0121.365] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dw20.exe")) returned 0 [0121.365] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0121.365] wcsstr (_Str="dwdcw20.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0121.365] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwdcw20.dll") returned 75 [0121.365] wcscmp (_String1="dwdcw20.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0121.365] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="dwdcw20.dll") returned 0x0 [0121.365] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwdcw20.dll") returned 0x4b [0121.365] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0121.366] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x80760, lpOverlapped=0x0) returned 1 [0121.490] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.490] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x80770, lpOverlapped=0x0) returned 1 [0121.492] CloseHandle (hObject=0x78) returned 1 [0121.492] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwdcw20.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0121.492] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0121.492] __uncaught_exception () returned 0x70700 [0121.492] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0121.493] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwdcw20.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dwdcw20.dll.[rmail@rmail.cc].rmaile")) returned 1 [0121.493] ??_V@YAXPAX@Z () returned 0x1 [0121.499] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwdcw20.dll", dwFileAttributes=0x2000) returned 0 [0121.499] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0 [0121.499] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0121.499] wcsstr (_Str="dwtrig20.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0121.499] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe") returned 76 [0121.499] wcscmp (_String1="dwtrig20.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0121.499] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="dwtrig20.exe") returned 0x0 [0121.499] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe") returned 0x4c [0121.499] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0121.522] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x7eda0, lpOverlapped=0x0) returned 1 [0121.959] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0121.959] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x7edb0, lpOverlapped=0x0) returned 1 [0121.961] CloseHandle (hObject=0x78) returned 1 [0121.962] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0121.962] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0121.962] __uncaught_exception () returned 0x70700 [0121.962] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0121.962] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dwtrig20.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dwtrig20.exe.[rmail@rmail.cc].rmaile")) returned 1 [0121.963] ??_V@YAXPAX@Z () returned 0x1 [0121.971] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe", dwFileAttributes=0x2000) returned 0 [0121.971] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0 [0121.971] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0121.971] wcsstr (_Str="Microsoft.VC90.CRT.manifest", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0121.971] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 91 [0121.971] wcscmp (_String1="Microsoft.VC90.CRT.manifest", _String2="!=How_recovery_files=!.txt") returned 1 [0121.971] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Microsoft.VC90.CRT.manifest") returned 0x0 [0121.971] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 0x5b [0121.971] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0121.972] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x741, lpOverlapped=0x0) returned 1 [0122.090] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.090] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x750, lpOverlapped=0x0) returned 1 [0122.091] CloseHandle (hObject=0x78) returned 1 [0122.091] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", _Mode="a", _ShFlag=64) returned 0x76b32960 [0122.091] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0122.091] __uncaught_exception () returned 0x70700 [0122.091] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0122.091] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.[rmail@rmail.cc].rmaile")) returned 1 [0122.092] ??_V@YAXPAX@Z () returned 0x1 [0122.099] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest", dwFileAttributes=0x2000) returned 0 [0122.099] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0 [0122.099] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0122.099] wcsstr (_Str="msvcr90.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0122.099] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\msvcr90.dll") returned 75 [0122.099] wcscmp (_String1="msvcr90.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0122.099] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="msvcr90.dll") returned 0x0 [0122.099] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\msvcr90.dll") returned 0x4b [0122.099] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0122.099] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0xa0200, lpOverlapped=0x0) returned 1 [0122.257] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.257] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0xa0210, lpOverlapped=0x0) returned 1 [0122.260] CloseHandle (hObject=0x78) returned 1 [0122.261] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\msvcr90.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0122.261] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0122.261] __uncaught_exception () returned 0x70700 [0122.261] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0122.261] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\msvcr90.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\msvcr90.dll.[rmail@rmail.cc].rmaile")) returned 1 [0122.262] ??_V@YAXPAX@Z () returned 0x1 [0122.270] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\msvcr90.dll", dwFileAttributes=0x2000) returned 0 [0122.270] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\msvcr90.dll")) returned 0 [0122.270] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0122.270] wcsstr (_Str="OfficeLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0122.270] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeLR.cab") returned 76 [0122.270] wcscmp (_String1="OfficeLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0122.270] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OfficeLR.cab") returned 0x0 [0122.270] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeLR.cab") returned 0x4c [0122.271] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0122.272] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0122.437] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0122.437] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0122.715] CloseHandle (hObject=0x78) returned 1 [0122.715] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0122.715] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0122.715] __uncaught_exception () returned 0x70700 [0122.715] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0122.813] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officelr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0122.814] ??_V@YAXPAX@Z () returned 0x1 [0122.820] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeLR.cab", dwFileAttributes=0x2000) returned 0 [0122.820] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officelr.cab")) returned 0 [0122.820] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0122.820] wcsstr (_Str="OfficeMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0122.820] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.msi") returned 77 [0122.820] wcscmp (_String1="OfficeMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0122.820] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OfficeMUI.msi") returned 0x0 [0122.820] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.msi") returned 0x4d [0122.820] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0122.821] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0123.050] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.050] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0123.068] CloseHandle (hObject=0x78) returned 1 [0123.068] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0123.068] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0123.068] __uncaught_exception () returned 0x70700 [0123.068] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0123.069] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0123.070] ??_V@YAXPAX@Z () returned 0x1 [0123.079] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.msi", dwFileAttributes=0x2000) returned 0 [0123.079] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemui.msi")) returned 0 [0123.079] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0123.079] wcsstr (_Str="OfficeMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0123.079] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml") returned 77 [0123.079] wcscmp (_String1="OfficeMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0123.080] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OfficeMUI.xml") returned 0x0 [0123.080] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml") returned 0x4d [0123.080] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0123.080] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x161e, lpOverlapped=0x0) returned 1 [0123.168] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.168] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1620, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x1620, lpOverlapped=0x0) returned 1 [0123.168] CloseHandle (hObject=0x78) returned 1 [0123.169] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0123.169] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0123.169] __uncaught_exception () returned 0x70700 [0123.169] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0123.169] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0123.170] ??_V@YAXPAX@Z () returned 0x1 [0123.181] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml", dwFileAttributes=0x2000) returned 0 [0123.181] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemui.xml")) returned 0 [0123.181] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0123.181] wcsstr (_Str="OfficeMUISet.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0123.181] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 80 [0123.181] wcscmp (_String1="OfficeMUISet.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0123.181] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OfficeMUISet.msi") returned 0x0 [0123.181] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 0x50 [0123.181] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0123.185] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x9ec00, lpOverlapped=0x0) returned 1 [0123.316] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.316] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x9ec10, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x9ec10, lpOverlapped=0x0) returned 1 [0123.318] CloseHandle (hObject=0x78) returned 1 [0123.318] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0123.318] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0123.318] __uncaught_exception () returned 0x70700 [0123.318] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0123.318] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemuiset.msi.[rmail@rmail.cc].rmaile")) returned 1 [0123.319] ??_V@YAXPAX@Z () returned 0x1 [0123.325] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.msi", dwFileAttributes=0x2000) returned 0 [0123.325] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemuiset.msi")) returned 0 [0123.325] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0123.325] wcsstr (_Str="OfficeMUISet.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0123.325] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 80 [0123.325] wcscmp (_String1="OfficeMUISet.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0123.325] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OfficeMUISet.xml") returned 0x0 [0123.325] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 0x50 [0123.325] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0123.325] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x333, lpOverlapped=0x0) returned 1 [0123.466] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.466] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x340, lpOverlapped=0x0) returned 1 [0123.466] CloseHandle (hObject=0x78) returned 1 [0123.466] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0123.466] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0123.466] __uncaught_exception () returned 0x70700 [0123.466] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0123.467] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemuiset.xml.[rmail@rmail.cc].rmaile")) returned 1 [0123.467] ??_V@YAXPAX@Z () returned 0x1 [0123.474] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.xml", dwFileAttributes=0x2000) returned 0 [0123.474] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\officemuiset.xml")) returned 0 [0123.474] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0123.474] wcsstr (_Str="osetupui.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0123.474] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\osetupui.dll") returned 76 [0123.474] wcscmp (_String1="osetupui.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0123.474] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="osetupui.dll") returned 0x0 [0123.474] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\osetupui.dll") returned 0x4c [0123.474] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0123.475] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x2ed80, lpOverlapped=0x0) returned 1 [0123.690] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.690] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x2ed90, lpOverlapped=0x0) returned 1 [0123.702] CloseHandle (hObject=0x78) returned 1 [0123.702] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\osetupui.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0123.703] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0123.703] __uncaught_exception () returned 0x70700 [0123.703] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0123.703] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\osetupui.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\osetupui.dll.[rmail@rmail.cc].rmaile")) returned 1 [0123.706] ??_V@YAXPAX@Z () returned 0x1 [0123.753] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\osetupui.dll", dwFileAttributes=0x2000) returned 0 [0123.753] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\osetupui.dll")) returned 0 [0123.753] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0123.753] wcsstr (_Str="pss10r.chm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0123.753] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\pss10r.chm") returned 74 [0123.753] wcscmp (_String1="pss10r.chm", _String2="!=How_recovery_files=!.txt") returned 1 [0123.753] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="pss10r.chm") returned 0x0 [0123.753] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\pss10r.chm") returned 0x4a [0123.753] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0123.754] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x6a3b, lpOverlapped=0x0) returned 1 [0123.907] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.907] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x6a40, lpOverlapped=0x0) returned 1 [0123.907] CloseHandle (hObject=0x78) returned 1 [0123.907] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\pss10r.chm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0123.908] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0123.908] __uncaught_exception () returned 0x70700 [0123.908] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0123.908] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\pss10r.chm.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\pss10r.chm.[rmail@rmail.cc].rmaile")) returned 1 [0123.909] ??_V@YAXPAX@Z () returned 0x1 [0123.917] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\pss10r.chm", dwFileAttributes=0x2000) returned 0 [0123.917] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\pss10r.chm")) returned 0 [0123.917] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0123.918] wcsstr (_Str="setup.chm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0123.918] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\setup.chm") returned 73 [0123.918] wcscmp (_String1="setup.chm", _String2="!=How_recovery_files=!.txt") returned 1 [0123.918] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="setup.chm") returned 0x0 [0123.918] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\setup.chm") returned 0x49 [0123.918] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0123.918] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x10676, lpOverlapped=0x0) returned 1 [0123.994] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0123.994] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x10680, lpOverlapped=0x0) returned 1 [0123.997] CloseHandle (hObject=0x78) returned 1 [0123.998] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\setup.chm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0123.998] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0123.998] __uncaught_exception () returned 0x70700 [0123.998] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0123.998] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\setup.chm.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\setup.chm.[rmail@rmail.cc].rmaile")) returned 1 [0124.002] ??_V@YAXPAX@Z () returned 0x1 [0124.010] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\setup.chm", dwFileAttributes=0x2000) returned 0 [0124.010] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\setup.chm")) returned 0 [0124.010] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0124.010] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0124.010] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0124.010] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0124.010] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0124.010] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0124.010] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0124.011] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x257e, lpOverlapped=0x0) returned 1 [0124.103] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.103] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x2580, lpOverlapped=0x0) returned 1 [0124.103] CloseHandle (hObject=0x78) returned 1 [0124.103] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0124.103] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0124.103] __uncaught_exception () returned 0x70700 [0124.103] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0124.104] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0124.104] ??_V@YAXPAX@Z () returned 0x1 [0124.112] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0124.112] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0124.112] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0124.112] wcsstr (_Str="ShellUI.MST", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0124.112] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ShellUI.MST") returned 75 [0124.112] wcscmp (_String1="ShellUI.MST", _String2="!=How_recovery_files=!.txt") returned 1 [0124.113] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ShellUI.MST") returned 0x0 [0124.113] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ShellUI.MST") returned 0x4b [0124.113] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0124.113] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0xe00, lpOverlapped=0x0) returned 1 [0124.322] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0124.322] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0xe10, lpOverlapped=0x0) returned 1 [0124.323] CloseHandle (hObject=0x78) returned 1 [0124.323] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ShellUI.MST", _Mode="a", _ShFlag=64) returned 0x76b32960 [0124.324] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0124.324] __uncaught_exception () returned 0x70700 [0124.324] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0124.325] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ShellUI.MST.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\shellui.mst.[rmail@rmail.cc].rmaile")) returned 1 [0124.328] ??_V@YAXPAX@Z () returned 0x1 [0124.337] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ShellUI.MST", dwFileAttributes=0x2000) returned 0 [0124.337] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-0000-0000000ff1ce}-c\\shellui.mst")) returned 0 [0124.337] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0124.337] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0124.337] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C") returned 0x3f [0124.337] strlen (_Str="${KEY}") returned 0x6 [0124.337] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0124.337] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0124.337] strlen (_Str="${CODE}") returned 0x7 [0124.337] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0124.337] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0124.337] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0124.337] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0124.338] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0124.338] __uncaught_exception () returned 0x70700 [0124.338] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0124.340] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0124.340] wcsstr (_Str="{90140000-0117-0409-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0124.340] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C") returned 63 [0124.340] wcscmp (_String1=".", _String2="{90140000-0117-0409-0000-0000000FF1CE}-C") returned -1 [0124.340] wcscmp (_String1="..", _String2="{90140000-0117-0409-0000-0000000FF1CE}-C") returned -1 [0124.340] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C") returned 0x3f [0124.340] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\*" [0124.340] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0124.827] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0124.827] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\.") returned 65 [0124.827] wcscmp (_String1=".", _String2=".") returned 0 [0124.827] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0124.828] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0124.828] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\..") returned 66 [0124.828] wcscmp (_String1=".", _String2="..") returned -1 [0124.828] wcscmp (_String1="..", _String2="..") returned 0 [0124.828] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0124.828] wcsstr (_Str="Access.en-us", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0124.828] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us") returned 76 [0124.828] wcscmp (_String1=".", _String2="Access.en-us") returned -1 [0124.828] wcscmp (_String1="..", _String2="Access.en-us") returned -1 [0124.828] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us") returned 0x4c [0124.828] wcscat (in: _Dest=0x1ae470, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\*") returned="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\*" [0124.828] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0x44e3e8 [0125.234] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0125.234] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\.") returned 78 [0125.234] wcscmp (_String1=".", _String2=".") returned 0 [0125.234] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0125.234] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0125.234] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\..") returned 79 [0125.234] wcscmp (_String1=".", _String2="..") returned -1 [0125.234] wcscmp (_String1="..", _String2="..") returned 0 [0125.234] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0125.234] wcsstr (_Str="AccessMUI.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0125.234] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 90 [0125.234] wcscmp (_String1="AccessMUI.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0125.234] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AccessMUI.msi") returned 0x0 [0125.234] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 0x5a [0125.234] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0125.235] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0126.139] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.139] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0126.160] CloseHandle (hObject=0x80) returned 1 [0126.161] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0126.161] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0126.161] __uncaught_exception () returned 0x70700 [0126.161] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0126.162] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.[rmail@rmail.cc].rmaile")) returned 1 [0126.162] ??_V@YAXPAX@Z () returned 0x1 [0126.170] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", dwFileAttributes=0x2000) returned 0 [0126.170] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0 [0126.171] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0126.171] wcsstr (_Str="AccessMUI.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0126.171] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 90 [0126.171] wcscmp (_String1="AccessMUI.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0126.171] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AccessMUI.xml") returned 0x0 [0126.171] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 0x5a [0126.171] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0126.171] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x545, lpOverlapped=0x0) returned 1 [0126.227] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.227] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x550, lpOverlapped=0x0) returned 1 [0126.227] CloseHandle (hObject=0x80) returned 1 [0126.227] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0126.228] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0126.228] __uncaught_exception () returned 0x70700 [0126.228] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0126.229] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.[rmail@rmail.cc].rmaile")) returned 1 [0126.230] ??_V@YAXPAX@Z () returned 0x1 [0126.243] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml", dwFileAttributes=0x2000) returned 0 [0126.244] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0 [0126.244] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0126.244] wcsstr (_Str="AccLR.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0126.244] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 86 [0126.244] wcscmp (_String1="AccLR.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0126.244] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AccLR.cab") returned 0x0 [0126.244] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 0x56 [0126.244] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0126.244] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0126.888] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0126.888] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0126.906] CloseHandle (hObject=0x80) returned 1 [0126.906] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0126.907] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0126.907] __uncaught_exception () returned 0x70700 [0126.907] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0126.951] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\acclr.cab.[rmail@rmail.cc].rmaile")) returned 1 [0126.951] ??_V@YAXPAX@Z () returned 0x1 [0126.958] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab", dwFileAttributes=0x2000) returned 0 [0126.958] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0 [0126.958] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0126.958] wcsstr (_Str="branding.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0126.958] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 89 [0126.958] wcscmp (_String1="branding.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0126.958] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="branding.xml") returned 0x0 [0126.958] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 0x59 [0126.958] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0126.959] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x91975, lpOverlapped=0x0) returned 1 [0127.344] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.344] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x91980, lpOverlapped=0x0) returned 1 [0127.346] CloseHandle (hObject=0x80) returned 1 [0127.347] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\branding.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0127.347] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0127.347] __uncaught_exception () returned 0x70700 [0127.347] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0127.347] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\branding.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\branding.xml.[rmail@rmail.cc].rmaile")) returned 1 [0127.348] ??_V@YAXPAX@Z () returned 0x1 [0127.384] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\branding.xml", dwFileAttributes=0x2000) returned 0 [0127.384] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0 [0127.384] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0 [0127.384] FindClose (in: hFindFile=0x44e3e8 | out: hFindFile=0x44e3e8) returned 1 [0127.384] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us") returned 0x4c [0127.385] strlen (_Str="${KEY}") returned 0x6 [0127.385] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0127.385] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0127.385] strlen (_Str="${CODE}") returned 0x7 [0127.385] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0127.385] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0127.385] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0127.385] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0127.385] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0127.385] __uncaught_exception () returned 0x70700 [0127.385] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0127.386] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0127.387] wcsstr (_Str="AccessMUISet.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0127.387] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.msi") returned 80 [0127.387] wcscmp (_String1="AccessMUISet.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0127.387] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AccessMUISet.msi") returned 0x0 [0127.387] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.msi") returned 0x50 [0127.387] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0127.387] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x9ec00, lpOverlapped=0x0) returned 1 [0127.464] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.464] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x9ec10, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x9ec10, lpOverlapped=0x0) returned 1 [0127.466] CloseHandle (hObject=0x78) returned 1 [0127.467] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0127.467] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0127.467] __uncaught_exception () returned 0x70700 [0127.467] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0127.467] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\accessmuiset.msi.[rmail@rmail.cc].rmaile")) returned 1 [0127.468] ??_V@YAXPAX@Z () returned 0x1 [0127.474] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.msi", dwFileAttributes=0x2000) returned 0 [0127.474] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0 [0127.474] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0127.474] wcsstr (_Str="AccessMUISet.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0127.474] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.xml") returned 80 [0127.474] wcscmp (_String1="AccessMUISet.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0127.474] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AccessMUISet.xml") returned 0x0 [0127.474] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.xml") returned 0x50 [0127.474] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0127.475] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x333, lpOverlapped=0x0) returned 1 [0127.611] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.611] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x340, lpOverlapped=0x0) returned 1 [0127.612] CloseHandle (hObject=0x78) returned 1 [0127.612] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0127.612] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0127.612] __uncaught_exception () returned 0x70700 [0127.612] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0127.613] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\accessmuiset.xml.[rmail@rmail.cc].rmaile")) returned 1 [0127.613] ??_V@YAXPAX@Z () returned 0x1 [0127.621] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.xml", dwFileAttributes=0x2000) returned 0 [0127.622] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0 [0127.622] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0127.622] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0127.622] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0127.622] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0127.622] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0127.622] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0127.622] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0127.622] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0xa40, lpOverlapped=0x0) returned 1 [0127.661] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.661] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0xa50, lpOverlapped=0x0) returned 1 [0127.661] CloseHandle (hObject=0x78) returned 1 [0127.661] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0127.662] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0127.662] __uncaught_exception () returned 0x70700 [0127.662] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0127.662] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0127.663] ??_V@YAXPAX@Z () returned 0x1 [0127.671] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0127.671] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0127.671] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0127.671] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0127.672] wcslen (_String="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C") returned 0x3f [0127.672] strlen (_Str="${KEY}") returned 0x6 [0127.672] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0127.672] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0127.672] strlen (_Str="${CODE}") returned 0x7 [0127.672] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0127.672] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0127.672] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0127.672] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0127.672] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0127.672] __uncaught_exception () returned 0x70700 [0127.672] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0127.674] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0127.674] wcsstr (_Str="{91140000-0011-0000-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0127.674] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C") returned 63 [0127.674] wcscmp (_String1=".", _String2="{91140000-0011-0000-0000-0000000FF1CE}-C") returned -1 [0127.674] wcscmp (_String1="..", _String2="{91140000-0011-0000-0000-0000000FF1CE}-C") returned -1 [0127.674] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C") returned 0x3f [0127.674] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\*" [0127.674] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0127.743] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0127.743] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\.") returned 65 [0127.743] wcscmp (_String1=".", _String2=".") returned 0 [0127.743] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0127.744] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0127.744] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\..") returned 66 [0127.744] wcscmp (_String1=".", _String2="..") returned -1 [0127.744] wcscmp (_String1="..", _String2="..") returned 0 [0127.744] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0127.744] wcsstr (_Str="Office64WW.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0127.744] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.msi") returned 78 [0127.744] wcscmp (_String1="Office64WW.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0127.744] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Office64WW.msi") returned 0x0 [0127.744] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.msi") returned 0x4e [0127.744] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\office64ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0127.821] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0127.943] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0127.943] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0128.173] CloseHandle (hObject=0x78) returned 1 [0128.173] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0128.173] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0128.173] __uncaught_exception () returned 0x70700 [0128.173] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0128.523] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\office64ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\office64ww.msi.[rmail@rmail.cc].rmaile")) returned 1 [0128.524] ??_V@YAXPAX@Z () returned 0x1 [0128.532] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.msi", dwFileAttributes=0x2000) returned 0 [0128.532] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\office64ww.msi")) returned 0 [0128.532] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0128.532] wcsstr (_Str="Office64WW.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0128.532] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.xml") returned 78 [0128.532] wcscmp (_String1="Office64WW.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0128.532] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Office64WW.xml") returned 0x0 [0128.532] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.xml") returned 0x4e [0128.532] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\office64ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0128.533] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x124d, lpOverlapped=0x0) returned 1 [0128.664] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.664] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1250, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x1250, lpOverlapped=0x0) returned 1 [0128.664] CloseHandle (hObject=0x78) returned 1 [0128.665] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0128.665] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0128.665] __uncaught_exception () returned 0x70700 [0128.665] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0128.665] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\office64ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\office64ww.xml.[rmail@rmail.cc].rmaile")) returned 1 [0128.666] ??_V@YAXPAX@Z () returned 0x1 [0128.674] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.xml", dwFileAttributes=0x2000) returned 0 [0128.674] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\office64ww.xml")) returned 0 [0128.674] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0128.675] wcsstr (_Str="ose.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0128.675] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe") returned 71 [0128.675] wcscmp (_String1="ose.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0128.675] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ose.exe") returned 0x0 [0128.675] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe") returned 0x47 [0128.675] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0128.675] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x24768, lpOverlapped=0x0) returned 1 [0128.745] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.745] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x24770, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x24770, lpOverlapped=0x0) returned 1 [0128.746] CloseHandle (hObject=0x78) returned 1 [0128.746] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0128.746] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0128.746] __uncaught_exception () returned 0x70700 [0128.746] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0128.747] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\ose.exe.[rmail@rmail.cc].rmaile")) returned 1 [0128.749] ??_V@YAXPAX@Z () returned 0x1 [0128.757] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x2000) returned 0 [0128.758] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\ose.exe")) returned 0 [0128.758] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0128.758] wcsstr (_Str="osetup.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0128.758] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\osetup.dll") returned 74 [0128.758] wcscmp (_String1="osetup.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0128.758] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="osetup.dll") returned 0x0 [0128.758] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\osetup.dll") returned 0x4a [0128.758] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0128.766] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0128.907] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0128.907] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0128.925] CloseHandle (hObject=0x78) returned 1 [0128.925] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\osetup.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0128.926] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0128.926] __uncaught_exception () returned 0x70700 [0128.926] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0128.958] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\osetup.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\osetup.dll.[rmail@rmail.cc].rmaile")) returned 1 [0128.958] ??_V@YAXPAX@Z () returned 0x1 [0128.966] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x2000) returned 0 [0128.966] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\osetup.dll")) returned 0 [0128.966] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0128.966] wcsstr (_Str="OWOW64WW.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0128.967] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab") returned 76 [0128.967] wcscmp (_String1="OWOW64WW.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0128.967] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OWOW64WW.cab") returned 0x0 [0128.967] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab") returned 0x4c [0128.967] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\owow64ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0128.967] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0129.423] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.423] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0129.438] CloseHandle (hObject=0x78) returned 1 [0129.439] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0129.439] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0129.439] __uncaught_exception () returned 0x70700 [0129.439] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0129.467] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\owow64ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\owow64ww.cab.[rmail@rmail.cc].rmaile")) returned 1 [0129.468] ??_V@YAXPAX@Z () returned 0x1 [0129.478] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab", dwFileAttributes=0x2000) returned 0 [0129.478] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\owow64ww.cab")) returned 0 [0129.478] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0129.479] wcsstr (_Str="PidGenX.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0129.479] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0129.479] wcscmp (_String1="PidGenX.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0129.479] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PidGenX.dll") returned 0x0 [0129.479] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\PidGenX.dll") returned 0x4b [0129.479] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0129.484] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0129.762] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0129.762] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0129.781] CloseHandle (hObject=0x78) returned 1 [0129.781] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\PidGenX.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0129.781] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0129.781] __uncaught_exception () returned 0x70700 [0129.781] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0129.782] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\PidGenX.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\pidgenx.dll.[rmail@rmail.cc].rmaile")) returned 1 [0129.782] ??_V@YAXPAX@Z () returned 0x1 [0129.788] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x2000) returned 0 [0129.788] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\pidgenx.dll")) returned 0 [0129.788] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0129.788] wcsstr (_Str="pkeyconfig-office.xrm-ms", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0129.788] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0129.788] wcscmp (_String1="pkeyconfig-office.xrm-ms", _String2="!=How_recovery_files=!.txt") returned 1 [0129.788] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="pkeyconfig-office.xrm-ms") returned 0x0 [0129.788] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 0x58 [0129.788] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0129.789] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0xaec3a, lpOverlapped=0x0) returned 1 [0130.308] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.308] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0xaec40, lpOverlapped=0x0) returned 1 [0130.311] CloseHandle (hObject=0x78) returned 1 [0130.311] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", _Mode="a", _ShFlag=64) returned 0x76b32960 [0130.312] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0130.312] __uncaught_exception () returned 0x70700 [0130.312] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0130.312] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile")) returned 1 [0130.313] ??_V@YAXPAX@Z () returned 0x1 [0130.331] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x2000) returned 0 [0130.331] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0 [0130.331] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0130.331] wcsstr (_Str="ProPlusrWW.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0130.331] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 78 [0130.331] wcscmp (_String1="ProPlusrWW.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0130.331] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ProPlusrWW.msi") returned 0x0 [0130.331] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 0x4e [0130.331] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0130.332] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0130.488] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.488] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0130.503] CloseHandle (hObject=0x78) returned 1 [0130.503] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0130.503] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0130.503] __uncaught_exception () returned 0x70700 [0130.503] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0130.552] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proplusrww.msi.[rmail@rmail.cc].rmaile")) returned 1 [0130.553] ??_V@YAXPAX@Z () returned 0x1 [0130.559] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.msi", dwFileAttributes=0x2000) returned 0 [0130.559] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proplusrww.msi")) returned 0 [0130.559] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0130.559] wcsstr (_Str="ProPlusrWW.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0130.559] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 78 [0130.559] wcscmp (_String1="ProPlusrWW.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0130.559] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ProPlusrWW.xml") returned 0x0 [0130.559] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 0x4e [0130.559] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0130.560] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x4366, lpOverlapped=0x0) returned 1 [0130.588] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.588] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4370, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4370, lpOverlapped=0x0) returned 1 [0130.588] CloseHandle (hObject=0x78) returned 1 [0130.588] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0130.588] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0130.588] __uncaught_exception () returned 0x70700 [0130.589] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0130.589] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proplusrww.xml.[rmail@rmail.cc].rmaile")) returned 1 [0130.589] ??_V@YAXPAX@Z () returned 0x1 [0130.596] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.xml", dwFileAttributes=0x2000) returned 0 [0130.596] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proplusrww.xml")) returned 0 [0130.596] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0130.597] wcsstr (_Str="ProPrWW.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0130.597] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW.cab") returned 75 [0130.597] wcscmp (_String1="ProPrWW.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0130.597] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ProPrWW.cab") returned 0x0 [0130.597] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW.cab") returned 0x4b [0130.597] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0130.598] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0130.746] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0130.746] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0130.761] CloseHandle (hObject=0x78) returned 1 [0130.761] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0130.761] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0130.761] __uncaught_exception () returned 0x70700 [0130.761] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0130.786] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proprww.cab.[rmail@rmail.cc].rmaile")) returned 1 [0130.786] ??_V@YAXPAX@Z () returned 0x1 [0130.837] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW.cab", dwFileAttributes=0x2000) returned 0 [0130.837] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proprww.cab")) returned 0 [0130.971] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0130.971] wcsstr (_Str="ProPrWW2.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0130.971] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW2.cab") returned 76 [0130.971] wcscmp (_String1="ProPrWW2.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0130.971] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ProPrWW2.cab") returned 0x0 [0130.971] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW2.cab") returned 0x4c [0130.971] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0130.972] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0131.270] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.270] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0131.295] CloseHandle (hObject=0x78) returned 1 [0131.295] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW2.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0131.295] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0131.295] __uncaught_exception () returned 0x70700 [0131.295] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0131.332] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW2.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proprww2.cab.[rmail@rmail.cc].rmaile")) returned 1 [0131.333] ??_V@YAXPAX@Z () returned 0x1 [0131.341] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW2.cab", dwFileAttributes=0x2000) returned 0 [0131.341] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\proprww2.cab")) returned 0 [0131.341] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0131.341] wcsstr (_Str="setup.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0131.341] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe") returned 73 [0131.341] wcscmp (_String1="setup.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0131.341] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="setup.exe") returned 0x0 [0131.341] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe") returned 0x49 [0131.341] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0131.342] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0131.505] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0131.505] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0131.996] CloseHandle (hObject=0x78) returned 1 [0131.997] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0131.997] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0131.997] __uncaught_exception () returned 0x70700 [0131.997] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0131.997] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\setup.exe.[rmail@rmail.cc].rmaile")) returned 1 [0131.998] ??_V@YAXPAX@Z () returned 0x1 [0132.005] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x2000) returned 0 [0132.005] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\setup.exe")) returned 0 [0132.005] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0132.006] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.006] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0132.006] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0132.006] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0132.006] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0132.006] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0132.006] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x7ddb, lpOverlapped=0x0) returned 1 [0132.055] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.055] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x7de0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x7de0, lpOverlapped=0x0) returned 1 [0132.055] CloseHandle (hObject=0x78) returned 1 [0132.056] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0132.056] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0132.056] __uncaught_exception () returned 0x70700 [0132.056] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0132.057] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0132.058] ??_V@YAXPAX@Z () returned 0x1 [0132.064] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0132.064] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0132.064] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0132.064] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0132.065] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C") returned 0x3f [0132.065] strlen (_Str="${KEY}") returned 0x6 [0132.065] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0132.065] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0132.065] strlen (_Str="${CODE}") returned 0x7 [0132.065] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0132.065] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0132.065] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0132.065] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0132.065] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0132.065] __uncaught_exception () returned 0x70700 [0132.065] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0132.066] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0132.066] wcsstr (_Str="{91140000-003B-0000-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.067] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C") returned 63 [0132.067] wcscmp (_String1=".", _String2="{91140000-003B-0000-0000-0000000FF1CE}-C") returned -1 [0132.067] wcscmp (_String1="..", _String2="{91140000-003B-0000-0000-0000000FF1CE}-C") returned -1 [0132.067] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C") returned 0x3f [0132.067] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\*" [0132.067] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0132.085] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.085] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\.") returned 65 [0132.085] wcscmp (_String1=".", _String2=".") returned 0 [0132.085] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0132.085] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.085] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\..") returned 66 [0132.085] wcscmp (_String1=".", _String2="..") returned -1 [0132.085] wcscmp (_String1="..", _String2="..") returned 0 [0132.085] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0132.085] wcsstr (_Str="Office64WW.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.085] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.msi") returned 78 [0132.085] wcscmp (_String1="Office64WW.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0132.085] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Office64WW.msi") returned 0x0 [0132.085] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.msi") returned 0x4e [0132.085] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\office64ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0132.085] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0132.261] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.261] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0132.275] CloseHandle (hObject=0x78) returned 1 [0132.275] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0132.276] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0132.276] __uncaught_exception () returned 0x70700 [0132.276] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0132.280] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\office64ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\office64ww.msi.[rmail@rmail.cc].rmaile")) returned 1 [0132.280] ??_V@YAXPAX@Z () returned 0x1 [0132.286] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.msi", dwFileAttributes=0x2000) returned 0 [0132.286] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\office64ww.msi")) returned 0 [0132.286] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0132.286] wcsstr (_Str="Office64WW.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.286] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.xml") returned 78 [0132.286] wcscmp (_String1="Office64WW.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0132.286] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Office64WW.xml") returned 0x0 [0132.286] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.xml") returned 0x4e [0132.286] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\office64ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0132.287] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x124d, lpOverlapped=0x0) returned 1 [0132.376] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.376] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1250, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x1250, lpOverlapped=0x0) returned 1 [0132.376] CloseHandle (hObject=0x78) returned 1 [0132.377] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0132.377] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0132.377] __uncaught_exception () returned 0x70700 [0132.377] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0132.378] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\office64ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\office64ww.xml.[rmail@rmail.cc].rmaile")) returned 1 [0132.379] ??_V@YAXPAX@Z () returned 0x1 [0132.390] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.xml", dwFileAttributes=0x2000) returned 0 [0132.391] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\office64ww.xml")) returned 0 [0132.391] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0132.391] wcsstr (_Str="ose.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.391] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\ose.exe") returned 71 [0132.391] wcscmp (_String1="ose.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0132.391] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ose.exe") returned 0x0 [0132.391] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\ose.exe") returned 0x47 [0132.391] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0132.392] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x24768, lpOverlapped=0x0) returned 1 [0132.463] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.463] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x24770, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x24770, lpOverlapped=0x0) returned 1 [0132.464] CloseHandle (hObject=0x78) returned 1 [0132.464] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\ose.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0132.464] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0132.464] __uncaught_exception () returned 0x70700 [0132.464] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0132.465] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\ose.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\ose.exe.[rmail@rmail.cc].rmaile")) returned 1 [0132.465] ??_V@YAXPAX@Z () returned 0x1 [0132.472] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x2000) returned 0 [0132.472] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\ose.exe")) returned 0 [0132.472] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0132.472] wcsstr (_Str="osetup.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.472] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\osetup.dll") returned 74 [0132.472] wcscmp (_String1="osetup.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0132.472] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="osetup.dll") returned 0x0 [0132.472] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\osetup.dll") returned 0x4a [0132.472] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0132.473] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0132.608] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0132.608] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0132.622] CloseHandle (hObject=0x78) returned 1 [0132.622] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\osetup.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0132.622] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0132.622] __uncaught_exception () returned 0x70700 [0132.622] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0132.693] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\osetup.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\osetup.dll.[rmail@rmail.cc].rmaile")) returned 1 [0132.693] ??_V@YAXPAX@Z () returned 0x1 [0132.699] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x2000) returned 0 [0132.700] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\osetup.dll")) returned 0 [0132.700] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0132.700] wcsstr (_Str="OWOW64WW.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0132.700] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab") returned 76 [0132.700] wcscmp (_String1="OWOW64WW.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0132.700] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OWOW64WW.cab") returned 0x0 [0132.700] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab") returned 0x4c [0132.700] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\owow64ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0132.701] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0133.222] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.222] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0133.237] CloseHandle (hObject=0x78) returned 1 [0133.237] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0133.237] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0133.237] __uncaught_exception () returned 0x70700 [0133.237] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0133.318] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\owow64ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\owow64ww.cab.[rmail@rmail.cc].rmaile")) returned 1 [0133.318] ??_V@YAXPAX@Z () returned 0x1 [0133.325] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab", dwFileAttributes=0x2000) returned 0 [0133.325] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\owow64ww.cab")) returned 0 [0133.325] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0133.325] wcsstr (_Str="PidGenX.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0133.325] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0133.325] wcscmp (_String1="PidGenX.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0133.325] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PidGenX.dll") returned 0x0 [0133.325] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PidGenX.dll") returned 0x4b [0133.325] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0133.326] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0133.546] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.546] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0133.563] CloseHandle (hObject=0x78) returned 1 [0133.563] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PidGenX.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0133.563] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0133.563] __uncaught_exception () returned 0x70700 [0133.563] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0133.564] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PidGenX.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\pidgenx.dll.[rmail@rmail.cc].rmaile")) returned 1 [0133.564] ??_V@YAXPAX@Z () returned 0x1 [0133.577] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x2000) returned 0 [0133.577] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\pidgenx.dll")) returned 0 [0133.577] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0133.577] wcsstr (_Str="pkeyconfig-office.xrm-ms", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0133.577] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0133.577] wcscmp (_String1="pkeyconfig-office.xrm-ms", _String2="!=How_recovery_files=!.txt") returned 1 [0133.577] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="pkeyconfig-office.xrm-ms") returned 0x0 [0133.577] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 0x58 [0133.577] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0133.578] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0xaec3a, lpOverlapped=0x0) returned 1 [0133.669] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.669] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0xaec40, lpOverlapped=0x0) returned 1 [0133.673] CloseHandle (hObject=0x78) returned 1 [0133.673] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", _Mode="a", _ShFlag=64) returned 0x76b32960 [0133.674] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0133.674] __uncaught_exception () returned 0x70700 [0133.674] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0133.674] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile")) returned 1 [0133.675] ??_V@YAXPAX@Z () returned 0x1 [0133.683] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x2000) returned 0 [0133.683] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0 [0133.683] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0133.683] wcsstr (_Str="PrjProrWW.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0133.683] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.msi") returned 77 [0133.683] wcscmp (_String1="PrjProrWW.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0133.683] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PrjProrWW.msi") returned 0x0 [0133.683] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.msi") returned 0x4d [0133.684] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0133.684] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0133.902] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.902] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0133.920] CloseHandle (hObject=0x78) returned 1 [0133.920] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0133.920] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0133.920] __uncaught_exception () returned 0x70700 [0133.920] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0133.961] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprorww.msi.[rmail@rmail.cc].rmaile")) returned 1 [0133.962] ??_V@YAXPAX@Z () returned 0x1 [0133.971] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.msi", dwFileAttributes=0x2000) returned 0 [0133.971] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprorww.msi")) returned 0 [0133.971] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0133.971] wcsstr (_Str="PrjProrWW.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0133.971] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.xml") returned 77 [0133.971] wcscmp (_String1="PrjProrWW.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0133.971] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PrjProrWW.xml") returned 0x0 [0133.971] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.xml") returned 0x4d [0133.971] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0133.972] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x19da, lpOverlapped=0x0) returned 1 [0133.989] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0133.989] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x19e0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x19e0, lpOverlapped=0x0) returned 1 [0133.989] CloseHandle (hObject=0x78) returned 1 [0133.990] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0133.990] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0133.990] __uncaught_exception () returned 0x70700 [0133.990] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0133.990] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprorww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprorww.xml.[rmail@rmail.cc].rmaile")) returned 1 [0133.991] ??_V@YAXPAX@Z () returned 0x1 [0133.999] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.xml", dwFileAttributes=0x2000) returned 0 [0133.999] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprorww.xml")) returned 0 [0133.999] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0133.999] wcsstr (_Str="PrjPrrWW.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0133.999] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 76 [0133.999] wcscmp (_String1="PrjPrrWW.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0133.999] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PrjPrrWW.cab") returned 0x0 [0133.999] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 0x4c [0133.999] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0134.000] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0134.154] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.155] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0134.173] CloseHandle (hObject=0x78) returned 1 [0134.173] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjPrrWW.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0134.173] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0134.173] __uncaught_exception () returned 0x70700 [0134.173] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0134.176] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjPrrWW.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprrww.cab.[rmail@rmail.cc].rmaile")) returned 1 [0134.177] ??_V@YAXPAX@Z () returned 0x1 [0134.183] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjPrrWW.cab", dwFileAttributes=0x2000) returned 0 [0134.184] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\prjprrww.cab")) returned 0 [0134.184] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0134.184] wcsstr (_Str="setup.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0134.184] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\setup.exe") returned 73 [0134.184] wcscmp (_String1="setup.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0134.184] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="setup.exe") returned 0x0 [0134.184] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\setup.exe") returned 0x49 [0134.184] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0134.187] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0134.320] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.320] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0134.358] CloseHandle (hObject=0x78) returned 1 [0134.358] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\setup.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0134.359] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0134.359] __uncaught_exception () returned 0x70700 [0134.359] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0134.360] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\setup.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\setup.exe.[rmail@rmail.cc].rmaile")) returned 1 [0134.360] ??_V@YAXPAX@Z () returned 0x1 [0134.370] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x2000) returned 0 [0134.370] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\setup.exe")) returned 0 [0134.370] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0134.370] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0134.370] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0134.370] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0134.370] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0134.370] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0134.371] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0134.371] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x43c8, lpOverlapped=0x0) returned 1 [0134.400] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.400] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x43d0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x43d0, lpOverlapped=0x0) returned 1 [0134.400] CloseHandle (hObject=0x78) returned 1 [0134.401] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0134.401] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0134.402] __uncaught_exception () returned 0x70700 [0134.402] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0134.402] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0134.403] ??_V@YAXPAX@Z () returned 0x1 [0134.413] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0134.414] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0134.414] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0134.414] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0134.414] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C") returned 0x3f [0134.414] strlen (_Str="${KEY}") returned 0x6 [0134.414] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0134.414] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0134.414] strlen (_Str="${CODE}") returned 0x7 [0134.414] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0134.414] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0134.414] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0134.415] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-003B-0000-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0134.415] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0134.415] __uncaught_exception () returned 0x70700 [0134.415] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0134.418] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0134.418] wcsstr (_Str="{91140000-0057-0000-0000-0000000FF1CE}-C", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0134.423] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C") returned 63 [0134.423] wcscmp (_String1=".", _String2="{91140000-0057-0000-0000-0000000FF1CE}-C") returned -1 [0134.424] wcscmp (_String1="..", _String2="{91140000-0057-0000-0000-0000000FF1CE}-C") returned -1 [0134.424] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C") returned 0x3f [0134.424] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\*") returned="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\*" [0134.424] FindFirstFileW (in: lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0134.512] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0134.512] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\.") returned 65 [0134.512] wcscmp (_String1=".", _String2=".") returned 0 [0134.512] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0134.512] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0134.512] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\..") returned 66 [0134.512] wcscmp (_String1=".", _String2="..") returned -1 [0134.512] wcscmp (_String1="..", _String2="..") returned 0 [0134.512] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0134.512] wcsstr (_Str="Office64WW.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0134.512] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.msi") returned 78 [0134.512] wcscmp (_String1="Office64WW.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0134.512] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Office64WW.msi") returned 0x0 [0134.512] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.msi") returned 0x4e [0134.512] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\office64ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0134.513] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0134.790] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.790] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0134.814] CloseHandle (hObject=0x78) returned 1 [0134.814] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0134.815] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0134.815] __uncaught_exception () returned 0x70700 [0134.815] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0134.855] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\office64ww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\office64ww.msi.[rmail@rmail.cc].rmaile")) returned 1 [0134.859] ??_V@YAXPAX@Z () returned 0x1 [0134.867] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.msi", dwFileAttributes=0x2000) returned 0 [0134.868] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\office64ww.msi")) returned 0 [0134.868] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0134.868] wcsstr (_Str="Office64WW.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0134.868] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.xml") returned 78 [0134.868] wcscmp (_String1="Office64WW.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0134.868] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Office64WW.xml") returned 0x0 [0134.868] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.xml") returned 0x4e [0134.868] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\office64ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0134.869] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x124d, lpOverlapped=0x0) returned 1 [0134.886] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0134.887] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1250, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x1250, lpOverlapped=0x0) returned 1 [0134.887] CloseHandle (hObject=0x78) returned 1 [0134.887] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0134.887] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0134.888] __uncaught_exception () returned 0x70700 [0134.888] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0134.888] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\office64ww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\office64ww.xml.[rmail@rmail.cc].rmaile")) returned 1 [0134.889] ??_V@YAXPAX@Z () returned 0x1 [0134.897] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.xml", dwFileAttributes=0x2000) returned 0 [0134.897] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Office64WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\office64ww.xml")) returned 0 [0134.897] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0134.897] wcsstr (_Str="ose.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0134.897] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\ose.exe") returned 71 [0134.897] wcscmp (_String1="ose.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0134.897] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ose.exe") returned 0x0 [0134.897] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\ose.exe") returned 0x47 [0134.897] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0134.910] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x24768, lpOverlapped=0x0) returned 1 [0135.175] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.175] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x24770, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x24770, lpOverlapped=0x0) returned 1 [0135.176] CloseHandle (hObject=0x78) returned 1 [0135.177] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\ose.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0135.177] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0135.177] __uncaught_exception () returned 0x70700 [0135.177] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0135.178] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\ose.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\ose.exe.[rmail@rmail.cc].rmaile")) returned 1 [0135.179] ??_V@YAXPAX@Z () returned 0x1 [0135.188] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\ose.exe", dwFileAttributes=0x2000) returned 0 [0135.188] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\ose.exe")) returned 0 [0135.188] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0135.188] wcsstr (_Str="osetup.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0135.188] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\osetup.dll") returned 74 [0135.188] wcscmp (_String1="osetup.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0135.188] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="osetup.dll") returned 0x0 [0135.188] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\osetup.dll") returned 0x4a [0135.188] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0135.190] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0135.368] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.368] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0135.439] CloseHandle (hObject=0x78) returned 1 [0135.442] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\osetup.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0135.442] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0135.442] __uncaught_exception () returned 0x70700 [0135.442] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0135.457] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\osetup.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\osetup.dll.[rmail@rmail.cc].rmaile")) returned 1 [0135.457] ??_V@YAXPAX@Z () returned 0x1 [0135.467] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\osetup.dll", dwFileAttributes=0x2000) returned 0 [0135.467] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\osetup.dll")) returned 0 [0135.467] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0135.467] wcsstr (_Str="OWOW64WW.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0135.467] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab") returned 76 [0135.467] wcscmp (_String1="OWOW64WW.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0135.467] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="OWOW64WW.cab") returned 0x0 [0135.467] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab") returned 0x4c [0135.467] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\owow64ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0135.468] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0135.603] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.603] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0135.621] CloseHandle (hObject=0x78) returned 1 [0135.622] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0135.622] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0135.622] __uncaught_exception () returned 0x70700 [0135.622] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0135.690] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\owow64ww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\owow64ww.cab.[rmail@rmail.cc].rmaile")) returned 1 [0135.691] ??_V@YAXPAX@Z () returned 0x1 [0135.699] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab", dwFileAttributes=0x2000) returned 0 [0135.699] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\OWOW64WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\owow64ww.cab")) returned 0 [0135.699] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0135.699] wcsstr (_Str="PidGenX.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0135.699] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\PidGenX.dll") returned 75 [0135.700] wcscmp (_String1="PidGenX.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0135.700] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="PidGenX.dll") returned 0x0 [0135.700] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\PidGenX.dll") returned 0x4b [0135.700] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0135.726] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0135.847] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.847] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0135.864] CloseHandle (hObject=0x78) returned 1 [0135.865] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\PidGenX.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0135.865] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0135.865] __uncaught_exception () returned 0x70700 [0135.865] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0135.865] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\pidgenx.dll"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\PidGenX.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\pidgenx.dll.[rmail@rmail.cc].rmaile")) returned 1 [0135.866] ??_V@YAXPAX@Z () returned 0x1 [0135.874] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\PidGenX.dll", dwFileAttributes=0x2000) returned 0 [0135.874] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\pidgenx.dll")) returned 0 [0135.874] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0135.874] wcsstr (_Str="pkeyconfig-office.xrm-ms", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0135.874] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 88 [0135.874] wcscmp (_String1="pkeyconfig-office.xrm-ms", _String2="!=How_recovery_files=!.txt") returned 1 [0135.874] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="pkeyconfig-office.xrm-ms") returned 0x0 [0135.874] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 0x58 [0135.874] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0135.875] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0xaec3a, lpOverlapped=0x0) returned 1 [0135.984] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0135.984] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0xaec40, lpOverlapped=0x0) returned 1 [0135.987] CloseHandle (hObject=0x78) returned 1 [0135.987] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", _Mode="a", _ShFlag=64) returned 0x76b32960 [0135.987] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0135.988] __uncaught_exception () returned 0x70700 [0135.988] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0135.988] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile")) returned 1 [0135.988] ??_V@YAXPAX@Z () returned 0x1 [0135.997] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms", dwFileAttributes=0x2000) returned 0 [0135.997] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0 [0135.997] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0135.997] wcsstr (_Str="setup.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0135.997] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\setup.exe") returned 73 [0135.997] wcscmp (_String1="setup.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0135.997] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="setup.exe") returned 0x0 [0135.997] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\setup.exe") returned 0x49 [0135.997] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0135.998] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0136.118] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.118] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0136.133] CloseHandle (hObject=0x78) returned 1 [0136.133] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\setup.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0136.133] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0136.134] __uncaught_exception () returned 0x70700 [0136.134] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.134] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\setup.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\setup.exe.[rmail@rmail.cc].rmaile")) returned 1 [0136.135] ??_V@YAXPAX@Z () returned 0x1 [0136.141] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\setup.exe", dwFileAttributes=0x2000) returned 0 [0136.141] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\setup.exe")) returned 0 [0136.141] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0136.141] wcsstr (_Str="Setup.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.141] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Setup.xml") returned 73 [0136.141] wcscmp (_String1="Setup.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0136.141] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Setup.xml") returned 0x0 [0136.141] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Setup.xml") returned 0x49 [0136.141] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0136.142] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x52fe, lpOverlapped=0x0) returned 1 [0136.196] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.196] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5300, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x5300, lpOverlapped=0x0) returned 1 [0136.196] CloseHandle (hObject=0x78) returned 1 [0136.196] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Setup.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0136.196] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0136.197] __uncaught_exception () returned 0x70700 [0136.197] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.197] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Setup.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\setup.xml.[rmail@rmail.cc].rmaile")) returned 1 [0136.197] ??_V@YAXPAX@Z () returned 0x1 [0136.205] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Setup.xml", dwFileAttributes=0x2000) returned 0 [0136.205] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\setup.xml")) returned 0 [0136.205] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0136.205] wcsstr (_Str="VisiorWW.cab", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.205] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.cab") returned 76 [0136.205] wcscmp (_String1="VisiorWW.cab", _String2="!=How_recovery_files=!.txt") returned 1 [0136.205] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="VisiorWW.cab") returned 0x0 [0136.205] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.cab") returned 0x4c [0136.205] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0136.206] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0136.415] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.415] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0136.429] CloseHandle (hObject=0x78) returned 1 [0136.429] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.cab", _Mode="a", _ShFlag=64) returned 0x76b32960 [0136.429] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0136.429] __uncaught_exception () returned 0x70700 [0136.429] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.647] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.cab.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.cab.[rmail@rmail.cc].rmaile")) returned 1 [0136.648] ??_V@YAXPAX@Z () returned 0x1 [0136.655] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.cab", dwFileAttributes=0x2000) returned 0 [0136.656] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.cab")) returned 0 [0136.656] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0136.656] wcsstr (_Str="VisiorWW.msi", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.656] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.msi") returned 76 [0136.656] wcscmp (_String1="VisiorWW.msi", _String2="!=How_recovery_files=!.txt") returned 1 [0136.656] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="VisiorWW.msi") returned 0x0 [0136.656] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.msi") returned 0x4c [0136.656] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0136.657] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x100000, lpOverlapped=0x0) returned 1 [0136.836] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.836] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x100010, lpOverlapped=0x0) returned 1 [0136.854] CloseHandle (hObject=0x78) returned 1 [0136.854] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.msi", _Mode="a", _ShFlag=64) returned 0x76b32960 [0136.854] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0136.854] __uncaught_exception () returned 0x70700 [0136.854] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.869] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.msi.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.msi.[rmail@rmail.cc].rmaile")) returned 1 [0136.869] ??_V@YAXPAX@Z () returned 0x1 [0136.877] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.msi", dwFileAttributes=0x2000) returned 0 [0136.877] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.msi")) returned 0 [0136.877] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0136.877] wcsstr (_Str="VisiorWW.xml", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.877] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.xml") returned 76 [0136.877] wcscmp (_String1="VisiorWW.xml", _String2="!=How_recovery_files=!.txt") returned 1 [0136.877] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="VisiorWW.xml") returned 0x0 [0136.877] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.xml") returned 0x4c [0136.877] CreateFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0136.877] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x22d5, lpOverlapped=0x0) returned 1 [0136.895] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0136.895] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x22e0, lpOverlapped=0x0) returned 1 [0136.895] CloseHandle (hObject=0x78) returned 1 [0136.895] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.xml", _Mode="a", _ShFlag=64) returned 0x76b32960 [0136.895] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0136.896] __uncaught_exception () returned 0x70700 [0136.896] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.896] MoveFileW (lpExistingFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.xml.[rmail@rmail.cc].rmaile" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.xml.[rmail@rmail.cc].rmaile")) returned 1 [0136.896] ??_V@YAXPAX@Z () returned 0x1 [0136.904] SetFileAttributesW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.xml", dwFileAttributes=0x2000) returned 0 [0136.904] DeleteFileW (lpFileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-0000-0000000ff1ce}-c\\visiorww.xml")) returned 0 [0136.905] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0 [0136.905] FindClose (in: hFindFile=0x44e3a8 | out: hFindFile=0x44e3a8) returned 1 [0136.905] wcslen (_String="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C") returned 0x3f [0136.905] strlen (_Str="${KEY}") returned 0x6 [0136.905] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0136.905] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0136.905] strlen (_Str="${CODE}") returned 0x7 [0136.905] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0136.905] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.905] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.905] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\{91140000-0057-0000-0000-0000000FF1CE}-C\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0136.906] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0136.906] __uncaught_exception () returned 0x70700 [0136.906] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.907] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0136.907] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0136.907] wcslen (_String="C:\\\\MSOCache\\All Users") returned 0x16 [0136.907] strlen (_Str="${KEY}") returned 0x6 [0136.907] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0136.908] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0136.908] strlen (_Str="${CODE}") returned 0x7 [0136.908] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0136.908] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.908] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.908] _wfsopen (_FileName="C:\\\\MSOCache\\All Users\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0136.908] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0136.908] __uncaught_exception () returned 0x70700 [0136.908] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.910] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0 [0136.910] FindClose (in: hFindFile=0x44aa78 | out: hFindFile=0x44aa78) returned 1 [0136.910] wcslen (_String="C:\\\\MSOCache") returned 0xc [0136.910] strlen (_Str="${KEY}") returned 0x6 [0136.910] memchr (_Buf=0x7d150, _Val=36, _MaxCount=0x11) returned 0x7d15d [0136.910] memchr (_Buf=0x7d15e, _Val=36, _MaxCount=0x3) returned 0x0 [0136.910] strlen (_Str="${CODE}") returned 0x7 [0136.910] memchr (_Buf=0x7d150, _Val=36, _MaxCount=0x10) returned 0x7d15d [0136.910] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.910] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.910] _wfsopen (_FileName="C:\\\\MSOCache\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0136.911] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0136.911] __uncaught_exception () returned 0x70700 [0136.911] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.913] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0136.913] wcsstr (_Str="pagefile.sys", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.913] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\pagefile.sys") returned 16 [0136.913] wcscmp (_String1="pagefile.sys", _String2="!=How_recovery_files=!.txt") returned 1 [0136.913] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="pagefile.sys") returned 0x0 [0136.913] wcslen (_String="C:\\\\pagefile.sys") returned 0x10 [0136.913] CreateFileW (lpFileName="C:\\\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0136.913] GetLastError () returned 0x20 [0136.913] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0136.913] wcsstr (_Str="PerfLogs", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.913] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs") returned 12 [0136.913] wcscmp (_String1=".", _String2="PerfLogs") returned -1 [0136.913] wcscmp (_String1="..", _String2="PerfLogs") returned -1 [0136.913] wcslen (_String="C:\\\\PerfLogs") returned 0xc [0136.913] wcscat (in: _Dest=0x1af2a4, _Source="\\*" | out: _Dest="C:\\\\PerfLogs\\*") returned="C:\\\\PerfLogs\\*" [0136.913] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\*", lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0x44aa78 [0136.914] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.914] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs\\.") returned 14 [0136.914] wcscmp (_String1=".", _String2=".") returned 0 [0136.914] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0136.914] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.914] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs\\..") returned 15 [0136.914] wcscmp (_String1=".", _String2="..") returned -1 [0136.914] wcscmp (_String1="..", _String2="..") returned 0 [0136.914] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0136.914] wcsstr (_Str="Admin", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.914] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs\\Admin") returned 18 [0136.914] wcscmp (_String1=".", _String2="Admin") returned -1 [0136.914] wcscmp (_String1="..", _String2="Admin") returned -1 [0136.914] wcslen (_String="C:\\\\PerfLogs\\Admin") returned 0x12 [0136.914] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\PerfLogs\\Admin\\*") returned="C:\\\\PerfLogs\\Admin\\*" [0136.914] FindFirstFileW (in: lpFileName="C:\\\\PerfLogs\\Admin\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0136.914] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.914] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs\\Admin\\.") returned 20 [0136.914] wcscmp (_String1=".", _String2=".") returned 0 [0136.914] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0136.914] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.914] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\PerfLogs\\Admin\\..") returned 21 [0136.914] wcscmp (_String1=".", _String2="..") returned -1 [0136.914] wcscmp (_String1="..", _String2="..") returned 0 [0136.914] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0 [0136.915] FindClose (in: hFindFile=0x44a8c8 | out: hFindFile=0x44a8c8) returned 1 [0136.915] wcslen (_String="C:\\\\PerfLogs\\Admin") returned 0x12 [0136.915] strlen (_Str="${KEY}") returned 0x6 [0136.915] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x11) returned 0x7d135 [0136.915] memchr (_Buf=0x7d136, _Val=36, _MaxCount=0x3) returned 0x0 [0136.915] strlen (_Str="${CODE}") returned 0x7 [0136.915] memchr (_Buf=0x7d128, _Val=36, _MaxCount=0x10) returned 0x7d135 [0136.915] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.915] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.915] _wfsopen (_FileName="C:\\\\PerfLogs\\Admin\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0136.915] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0136.915] __uncaught_exception () returned 0x70700 [0136.915] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.917] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0 [0136.917] FindClose (in: hFindFile=0x44aa78 | out: hFindFile=0x44aa78) returned 1 [0136.917] wcslen (_String="C:\\\\PerfLogs") returned 0xc [0136.917] strlen (_Str="${KEY}") returned 0x6 [0136.917] memchr (_Buf=0x7d150, _Val=36, _MaxCount=0x11) returned 0x7d15d [0136.917] memchr (_Buf=0x7d15e, _Val=36, _MaxCount=0x3) returned 0x0 [0136.917] strlen (_Str="${CODE}") returned 0x7 [0136.917] memchr (_Buf=0x7d150, _Val=36, _MaxCount=0x10) returned 0x7d15d [0136.918] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.918] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0136.918] _wfsopen (_FileName="C:\\\\PerfLogs\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0136.919] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0136.919] __uncaught_exception () returned 0x70700 [0136.919] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0136.920] FindNextFileW (in: hFindFile=0x44aa38, lpFindFileData=0x1af4e0 | out: lpFindFileData=0x1af4e0) returned 1 [0136.920] wcsstr (_Str="Program Files", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.921] _snwprintf (in: _Dest=0x1af760, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files") returned 17 [0136.921] wcscmp (_String1=".", _String2="Program Files") returned -1 [0136.921] wcscmp (_String1="..", _String2="Program Files") returned -1 [0136.921] wcslen (_String="C:\\\\Program Files") returned 0x11 [0136.921] wcscat (in: _Dest=0x1af2a4, _Source="\\*" | out: _Dest="C:\\\\Program Files\\*") returned="C:\\\\Program Files\\*" [0136.921] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\*", lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 0x44aa78 [0136.921] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.921] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\.") returned 19 [0136.921] wcscmp (_String1=".", _String2=".") returned 0 [0136.921] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0136.921] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.921] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\..") returned 20 [0136.921] wcscmp (_String1=".", _String2="..") returned -1 [0136.921] wcscmp (_String1="..", _String2="..") returned 0 [0136.921] FindNextFileW (in: hFindFile=0x44aa78, lpFindFileData=0x1af024 | out: lpFindFileData=0x1af024) returned 1 [0136.921] wcsstr (_Str="Adobe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.921] _snwprintf (in: _Dest=0x1af2a4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe") returned 23 [0136.921] wcscmp (_String1=".", _String2="Adobe") returned -1 [0136.921] wcscmp (_String1="..", _String2="Adobe") returned -1 [0136.921] wcslen (_String="C:\\\\Program Files\\Adobe") returned 0x17 [0136.921] wcscat (in: _Dest=0x1aede8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\*") returned="C:\\\\Program Files\\Adobe\\*" [0136.921] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\*", lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 0x44a8c8 [0136.922] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.922] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\.") returned 25 [0136.922] wcscmp (_String1=".", _String2=".") returned 0 [0136.922] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0136.922] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.922] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\..") returned 26 [0136.922] wcscmp (_String1=".", _String2="..") returned -1 [0136.922] wcscmp (_String1="..", _String2="..") returned 0 [0136.922] FindNextFileW (in: hFindFile=0x44a8c8, lpFindFileData=0x1aeb68 | out: lpFindFileData=0x1aeb68) returned 1 [0136.922] wcsstr (_Str="Reader 10.0", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.922] _snwprintf (in: _Dest=0x1aede8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0") returned 35 [0136.922] wcscmp (_String1=".", _String2="Reader 10.0") returned -1 [0136.922] wcscmp (_String1="..", _String2="Reader 10.0") returned -1 [0136.922] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0") returned 0x23 [0136.922] wcscat (in: _Dest=0x1ae92c, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\*" [0136.922] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\*", lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 0x44e3a8 [0136.922] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.922] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\.") returned 37 [0136.922] wcscmp (_String1=".", _String2=".") returned 0 [0136.922] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0136.922] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.922] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\..") returned 38 [0136.922] wcscmp (_String1=".", _String2="..") returned -1 [0136.922] wcscmp (_String1="..", _String2="..") returned 0 [0136.922] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0136.922] wcsstr (_Str="Benioku.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0136.922] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Benioku.htm") returned 47 [0136.923] wcscmp (_String1="Benioku.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0136.923] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Benioku.htm") returned 0x0 [0136.923] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Benioku.htm") returned 0x2f [0136.923] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Benioku.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\benioku.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0136.925] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x4268, lpOverlapped=0x0) returned 1 [0137.076] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.076] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4270, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4270, lpOverlapped=0x0) returned 1 [0137.077] CloseHandle (hObject=0x78) returned 1 [0137.078] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Benioku.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.078] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.078] __uncaught_exception () returned 0x70700 [0137.078] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.079] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Benioku.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\benioku.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Benioku.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\benioku.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.079] ??_V@YAXPAX@Z () returned 0x1 [0137.089] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Benioku.htm", dwFileAttributes=0x0) returned 0 [0137.089] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Benioku.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\benioku.htm")) returned 0 [0137.089] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.089] wcsstr (_Str="Berime.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.089] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Berime.htm") returned 46 [0137.089] wcscmp (_String1="Berime.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.090] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Berime.htm") returned 0x0 [0137.090] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Berime.htm") returned 0x2e [0137.090] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Berime.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\berime.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.091] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x42ba, lpOverlapped=0x0) returned 1 [0137.139] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.139] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x42c0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x42c0, lpOverlapped=0x0) returned 1 [0137.140] CloseHandle (hObject=0x78) returned 1 [0137.140] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Berime.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.141] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.141] __uncaught_exception () returned 0x70700 [0137.141] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.141] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Berime.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\berime.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Berime.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\berime.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.142] ??_V@YAXPAX@Z () returned 0x1 [0137.148] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Berime.htm", dwFileAttributes=0x0) returned 0 [0137.148] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Berime.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\berime.htm")) returned 0 [0137.148] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.148] wcsstr (_Str="Esl", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.148] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl") returned 39 [0137.148] wcscmp (_String1=".", _String2="Esl") returned -1 [0137.148] wcscmp (_String1="..", _String2="Esl") returned -1 [0137.148] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl") returned 0x27 [0137.148] wcscat (in: _Dest=0x1ae470, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\*" [0137.148] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\*", lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0x44e3e8 [0137.148] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.148] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\.") returned 41 [0137.149] wcscmp (_String1=".", _String2=".") returned 0 [0137.149] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0137.149] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.149] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\..") returned 42 [0137.149] wcscmp (_String1=".", _String2="..") returned -1 [0137.149] wcscmp (_String1="..", _String2="..") returned 0 [0137.149] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0137.149] wcsstr (_Str="AiodLite.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.149] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll") returned 52 [0137.149] wcscmp (_String1="AiodLite.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0137.149] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AiodLite.dll") returned 0x0 [0137.149] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll") returned 0x34 [0137.149] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\esl\\aiodlite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0137.149] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x19798, lpOverlapped=0x0) returned 1 [0137.224] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.224] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x197a0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x197a0, lpOverlapped=0x0) returned 1 [0137.225] CloseHandle (hObject=0x80) returned 1 [0137.225] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.225] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.225] __uncaught_exception () returned 0x70700 [0137.225] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.225] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\esl\\aiodlite.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\esl\\aiodlite.dll.[rmail@rmail.cc].rmaile")) returned 1 [0137.226] ??_V@YAXPAX@Z () returned 0x1 [0137.232] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll", dwFileAttributes=0x0) returned 0 [0137.232] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\esl\\aiodlite.dll")) returned 0 [0137.232] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0 [0137.233] FindClose (in: hFindFile=0x44e3e8 | out: hFindFile=0x44e3e8) returned 1 [0137.233] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl") returned 0x27 [0137.233] strlen (_Str="${KEY}") returned 0x6 [0137.233] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0137.233] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0137.233] strlen (_Str="${CODE}") returned 0x7 [0137.233] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0137.233] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0137.233] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0137.233] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Esl\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0137.233] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0137.233] __uncaught_exception () returned 0x70700 [0137.233] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.234] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.234] wcsstr (_Str="IrakHau.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.235] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\IrakHau.htm") returned 47 [0137.235] wcscmp (_String1="IrakHau.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.235] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="IrakHau.htm") returned 0x0 [0137.235] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\IrakHau.htm") returned 0x2f [0137.235] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\IrakHau.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\irakhau.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.237] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x4288, lpOverlapped=0x0) returned 1 [0137.349] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.349] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4290, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4290, lpOverlapped=0x0) returned 1 [0137.349] CloseHandle (hObject=0x78) returned 1 [0137.350] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\IrakHau.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.350] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.350] __uncaught_exception () returned 0x70700 [0137.350] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.350] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\IrakHau.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\irakhau.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\IrakHau.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\irakhau.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.351] ??_V@YAXPAX@Z () returned 0x1 [0137.359] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\IrakHau.htm", dwFileAttributes=0x0) returned 0 [0137.359] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\IrakHau.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\irakhau.htm")) returned 0 [0137.359] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.359] wcsstr (_Str="Leame.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.359] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leame.htm") returned 45 [0137.359] wcscmp (_String1="Leame.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.359] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Leame.htm") returned 0x0 [0137.359] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leame.htm") returned 0x2d [0137.359] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leame.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leame.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.361] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x423b, lpOverlapped=0x0) returned 1 [0137.379] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.379] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4240, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4240, lpOverlapped=0x0) returned 1 [0137.380] CloseHandle (hObject=0x78) returned 1 [0137.380] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leame.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.380] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.381] __uncaught_exception () returned 0x70700 [0137.381] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.381] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leame.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leame.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leame.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\leame.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.382] ??_V@YAXPAX@Z () returned 0x1 [0137.390] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leame.htm", dwFileAttributes=0x0) returned 0 [0137.390] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leame.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leame.htm")) returned 0 [0137.390] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.390] wcsstr (_Str="LeesMij.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.390] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeesMij.htm") returned 47 [0137.390] wcscmp (_String1="LeesMij.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.390] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="LeesMij.htm") returned 0x0 [0137.390] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeesMij.htm") returned 0x2f [0137.390] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeesMij.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leesmij.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.391] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x41e3, lpOverlapped=0x0) returned 1 [0137.540] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.540] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x41f0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x41f0, lpOverlapped=0x0) returned 1 [0137.540] CloseHandle (hObject=0x78) returned 1 [0137.540] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeesMij.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.540] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.540] __uncaught_exception () returned 0x70700 [0137.540] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.541] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeesMij.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leesmij.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeesMij.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\leesmij.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.541] ??_V@YAXPAX@Z () returned 0x1 [0137.547] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeesMij.htm", dwFileAttributes=0x0) returned 0 [0137.547] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeesMij.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leesmij.htm")) returned 0 [0137.547] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.547] wcsstr (_Str="Leggimi.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.547] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leggimi.htm") returned 47 [0137.547] wcscmp (_String1="Leggimi.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.547] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Leggimi.htm") returned 0x0 [0137.547] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leggimi.htm") returned 0x2f [0137.547] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leggimi.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leggimi.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.548] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x4289, lpOverlapped=0x0) returned 1 [0137.569] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.569] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4290, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4290, lpOverlapped=0x0) returned 1 [0137.570] CloseHandle (hObject=0x78) returned 1 [0137.570] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leggimi.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.570] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.570] __uncaught_exception () returned 0x70700 [0137.570] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.570] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leggimi.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leggimi.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leggimi.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\leggimi.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.571] ??_V@YAXPAX@Z () returned 0x1 [0137.611] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leggimi.htm", dwFileAttributes=0x0) returned 0 [0137.611] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Leggimi.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leggimi.htm")) returned 0 [0137.611] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.611] wcsstr (_Str="LeiaMe.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.611] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeiaMe.htm") returned 46 [0137.611] wcscmp (_String1="LeiaMe.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.611] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="LeiaMe.htm") returned 0x0 [0137.611] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeiaMe.htm") returned 0x2e [0137.611] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeiaMe.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leiame.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.611] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x4273, lpOverlapped=0x0) returned 1 [0137.679] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.680] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4280, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4280, lpOverlapped=0x0) returned 1 [0137.680] CloseHandle (hObject=0x78) returned 1 [0137.680] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeiaMe.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.680] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.680] __uncaught_exception () returned 0x70700 [0137.680] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.680] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeiaMe.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leiame.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeiaMe.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\leiame.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.681] ??_V@YAXPAX@Z () returned 0x1 [0137.687] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeiaMe.htm", dwFileAttributes=0x0) returned 0 [0137.688] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LeiaMe.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\leiame.htm")) returned 0 [0137.688] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.688] wcsstr (_Str="Liesmich.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.688] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Liesmich.htm") returned 48 [0137.688] wcscmp (_String1="Liesmich.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.688] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Liesmich.htm") returned 0x0 [0137.688] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Liesmich.htm") returned 0x30 [0137.688] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Liesmich.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\liesmich.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.689] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x42b6, lpOverlapped=0x0) returned 1 [0137.821] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.821] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x42c0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x42c0, lpOverlapped=0x0) returned 1 [0137.821] CloseHandle (hObject=0x78) returned 1 [0137.821] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Liesmich.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.821] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.821] __uncaught_exception () returned 0x70700 [0137.821] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.822] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Liesmich.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\liesmich.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Liesmich.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\liesmich.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.822] ??_V@YAXPAX@Z () returned 0x1 [0137.828] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Liesmich.htm", dwFileAttributes=0x0) returned 0 [0137.828] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Liesmich.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\liesmich.htm")) returned 0 [0137.828] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.829] wcsstr (_Str="Lisezmoi.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.829] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Lisezmoi.htm") returned 48 [0137.829] wcscmp (_String1="Lisezmoi.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.829] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Lisezmoi.htm") returned 0x0 [0137.829] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Lisezmoi.htm") returned 0x30 [0137.829] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Lisezmoi.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\lisezmoi.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.830] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x43c7, lpOverlapped=0x0) returned 1 [0137.927] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0137.928] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x43d0, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x43d0, lpOverlapped=0x0) returned 1 [0137.928] CloseHandle (hObject=0x78) returned 1 [0137.928] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Lisezmoi.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0137.928] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0137.929] __uncaught_exception () returned 0x70700 [0137.929] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0137.929] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Lisezmoi.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\lisezmoi.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Lisezmoi.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\lisezmoi.htm.[rmail@rmail.cc].rmaile")) returned 1 [0137.930] ??_V@YAXPAX@Z () returned 0x1 [0137.938] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Lisezmoi.htm", dwFileAttributes=0x0) returned 0 [0137.938] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Lisezmoi.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\lisezmoi.htm")) returned 0 [0137.938] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0137.938] wcsstr (_Str="Llegiu-me.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0137.938] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Llegiu-me.htm") returned 49 [0137.938] wcscmp (_String1="Llegiu-me.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0137.938] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Llegiu-me.htm") returned 0x0 [0137.938] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Llegiu-me.htm") returned 0x31 [0137.938] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Llegiu-me.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\llegiu-me.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0137.939] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x41fc, lpOverlapped=0x0) returned 1 [0138.167] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.167] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4200, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4200, lpOverlapped=0x0) returned 1 [0138.168] CloseHandle (hObject=0x78) returned 1 [0138.168] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Llegiu-me.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0138.168] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0138.168] __uncaught_exception () returned 0x70700 [0138.168] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0138.169] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Llegiu-me.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\llegiu-me.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Llegiu-me.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\llegiu-me.htm.[rmail@rmail.cc].rmaile")) returned 1 [0138.170] ??_V@YAXPAX@Z () returned 0x1 [0138.177] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Llegiu-me.htm", dwFileAttributes=0x0) returned 0 [0138.178] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Llegiu-me.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\llegiu-me.htm")) returned 0 [0138.178] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0138.178] wcsstr (_Str="LueMinut.htm", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.178] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\LueMinut.htm") returned 48 [0138.178] wcscmp (_String1="LueMinut.htm", _String2="!=How_recovery_files=!.txt") returned 1 [0138.178] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="LueMinut.htm") returned 0x0 [0138.178] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\LueMinut.htm") returned 0x30 [0138.178] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LueMinut.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\lueminut.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0138.179] ReadFile (in: hFile=0x78, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae618*=0x434e, lpOverlapped=0x0) returned 1 [0138.251] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.251] WriteFile (in: hFile=0x78, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4350, lpNumberOfBytesWritten=0x1ae618, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae618*=0x4350, lpOverlapped=0x0) returned 1 [0138.251] CloseHandle (hObject=0x78) returned 1 [0138.252] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LueMinut.htm", _Mode="a", _ShFlag=64) returned 0x76b32960 [0138.252] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0138.252] __uncaught_exception () returned 0x70700 [0138.252] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0138.252] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LueMinut.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\lueminut.htm"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LueMinut.htm.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\lueminut.htm.[rmail@rmail.cc].rmaile")) returned 1 [0138.253] ??_V@YAXPAX@Z () returned 0x1 [0138.261] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LueMinut.htm", dwFileAttributes=0x0) returned 0 [0138.261] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\LueMinut.htm" (normalized: "c:\\program files\\adobe\\reader 10.0\\lueminut.htm")) returned 0 [0138.261] FindNextFileW (in: hFindFile=0x44e3a8, lpFindFileData=0x1ae6ac | out: lpFindFileData=0x1ae6ac) returned 1 [0138.261] wcsstr (_Str="Reader", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.261] _snwprintf (in: _Dest=0x1ae92c, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader") returned 42 [0138.261] wcscmp (_String1=".", _String2="Reader") returned -1 [0138.261] wcscmp (_String1="..", _String2="Reader") returned -1 [0138.261] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader") returned 0x2a [0138.261] wcscat (in: _Dest=0x1ae470, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\*" [0138.261] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\*", lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 0x44e3e8 [0138.261] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.261] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\.") returned 44 [0138.261] wcscmp (_String1=".", _String2=".") returned 0 [0138.261] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0138.261] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.261] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\..") returned 45 [0138.261] wcscmp (_String1=".", _String2="..") returned -1 [0138.262] wcscmp (_String1="..", _String2="..") returned 0 [0138.262] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0138.262] wcsstr (_Str="A3DUtils.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.262] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\A3DUtils.dll") returned 55 [0138.262] wcscmp (_String1="A3DUtils.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0138.262] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="A3DUtils.dll") returned 0x0 [0138.262] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\A3DUtils.dll") returned 0x37 [0138.262] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\A3DUtils.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\a3dutils.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0138.263] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x32398, lpOverlapped=0x0) returned 1 [0138.371] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.371] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x323a0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x323a0, lpOverlapped=0x0) returned 1 [0138.372] CloseHandle (hObject=0x80) returned 1 [0138.372] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\A3DUtils.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0138.372] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0138.373] __uncaught_exception () returned 0x70700 [0138.373] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0138.373] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\A3DUtils.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\a3dutils.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\A3DUtils.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\a3dutils.dll.[rmail@rmail.cc].rmaile")) returned 1 [0138.374] ??_V@YAXPAX@Z () returned 0x1 [0138.382] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\A3DUtils.dll", dwFileAttributes=0x0) returned 0 [0138.382] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\A3DUtils.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\a3dutils.dll")) returned 0 [0138.382] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0138.382] wcsstr (_Str="ACE.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.382] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ACE.dll") returned 50 [0138.382] wcscmp (_String1="ACE.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0138.382] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ACE.dll") returned 0x0 [0138.382] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ACE.dll") returned 0x32 [0138.382] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ACE.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ace.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0138.383] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xc7d88, lpOverlapped=0x0) returned 1 [0138.501] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.501] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xc7d90, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xc7d90, lpOverlapped=0x0) returned 1 [0138.503] CloseHandle (hObject=0x80) returned 1 [0138.504] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ACE.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0138.504] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0138.504] __uncaught_exception () returned 0x70700 [0138.504] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0138.504] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ACE.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ace.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ACE.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ace.dll.[rmail@rmail.cc].rmaile")) returned 1 [0138.505] ??_V@YAXPAX@Z () returned 0x1 [0138.511] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ACE.dll", dwFileAttributes=0x0) returned 0 [0138.511] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ACE.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ace.dll")) returned 0 [0138.511] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0138.511] wcsstr (_Str="AcroBroker.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.511] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroBroker.exe") returned 57 [0138.511] wcscmp (_String1="AcroBroker.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0138.511] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AcroBroker.exe") returned 0x0 [0138.511] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroBroker.exe") returned 0x39 [0138.511] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroBroker.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrobroker.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0138.512] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x47f98, lpOverlapped=0x0) returned 1 [0138.599] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.599] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x47fa0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x47fa0, lpOverlapped=0x0) returned 1 [0138.600] CloseHandle (hObject=0x80) returned 1 [0138.600] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroBroker.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0138.600] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0138.600] __uncaught_exception () returned 0x70700 [0138.600] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0138.601] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroBroker.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrobroker.exe"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroBroker.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrobroker.exe.[rmail@rmail.cc].rmaile")) returned 1 [0138.602] ??_V@YAXPAX@Z () returned 0x1 [0138.608] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroBroker.exe", dwFileAttributes=0x0) returned 0 [0138.609] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroBroker.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrobroker.exe")) returned 0 [0138.609] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0138.609] wcsstr (_Str="Acrofx32.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.609] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Acrofx32.dll") returned 55 [0138.609] wcscmp (_String1="Acrofx32.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0138.609] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Acrofx32.dll") returned 0x0 [0138.609] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Acrofx32.dll") returned 0x37 [0138.609] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Acrofx32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrofx32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0138.610] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xf798, lpOverlapped=0x0) returned 1 [0138.652] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.652] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xf7a0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xf7a0, lpOverlapped=0x0) returned 1 [0138.652] CloseHandle (hObject=0x80) returned 1 [0138.652] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Acrofx32.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0138.652] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0138.653] __uncaught_exception () returned 0x70700 [0138.653] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0138.653] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Acrofx32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrofx32.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Acrofx32.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrofx32.dll.[rmail@rmail.cc].rmaile")) returned 1 [0138.655] ??_V@YAXPAX@Z () returned 0x1 [0138.661] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Acrofx32.dll", dwFileAttributes=0x0) returned 0 [0138.662] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Acrofx32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrofx32.dll")) returned 0 [0138.662] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0138.662] wcsstr (_Str="AcroRd32.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.662] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.dll") returned 55 [0138.662] wcscmp (_String1="AcroRd32.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0138.662] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AcroRd32.dll") returned 0x0 [0138.662] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.dll") returned 0x37 [0138.662] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0138.662] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0138.757] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0138.757] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0138.775] CloseHandle (hObject=0x80) returned 1 [0138.776] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0138.776] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0138.776] __uncaught_exception () returned 0x70700 [0138.776] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0138.857] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32.dll.[rmail@rmail.cc].rmaile")) returned 1 [0138.858] ??_V@YAXPAX@Z () returned 0x1 [0138.865] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.dll", dwFileAttributes=0x0) returned 0 [0138.865] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32.dll")) returned 0 [0138.865] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0138.865] wcsstr (_Str="AcroRd32.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0138.865] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe") returned 55 [0138.865] wcscmp (_String1="AcroRd32.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0138.865] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AcroRd32.exe") returned 0x0 [0138.865] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe") returned 0x37 [0138.865] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0138.865] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0139.089] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.089] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0139.103] CloseHandle (hObject=0x80) returned 1 [0139.104] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0139.104] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0139.104] __uncaught_exception () returned 0x70700 [0139.104] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0139.104] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32.exe"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32.exe.[rmail@rmail.cc].rmaile")) returned 1 [0139.105] ??_V@YAXPAX@Z () returned 0x1 [0139.111] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe", dwFileAttributes=0x0) returned 0 [0139.111] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32.exe")) returned 0 [0139.111] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0139.111] wcsstr (_Str="AcroRd32Info.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0139.111] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32Info.exe") returned 59 [0139.111] wcscmp (_String1="AcroRd32Info.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0139.111] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AcroRd32Info.exe") returned 0x0 [0139.111] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32Info.exe") returned 0x3b [0139.111] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32Info.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32info.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0139.112] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x45a0, lpOverlapped=0x0) returned 1 [0139.300] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.300] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x45b0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x45b0, lpOverlapped=0x0) returned 1 [0139.301] CloseHandle (hObject=0x80) returned 1 [0139.301] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32Info.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0139.301] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0139.301] __uncaught_exception () returned 0x70700 [0139.301] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0139.302] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32Info.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32info.exe"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32Info.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32info.exe.[rmail@rmail.cc].rmaile")) returned 1 [0139.302] ??_V@YAXPAX@Z () returned 0x1 [0139.309] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32Info.exe", dwFileAttributes=0x0) returned 0 [0139.309] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroRd32Info.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrord32info.exe")) returned 0 [0139.309] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0139.309] wcsstr (_Str="AcroTextExtractor.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0139.309] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroTextExtractor.exe") returned 64 [0139.309] wcscmp (_String1="AcroTextExtractor.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0139.309] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AcroTextExtractor.exe") returned 0x0 [0139.309] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroTextExtractor.exe") returned 0x40 [0139.309] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroTextExtractor.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrotextextractor.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0139.310] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xbfa8, lpOverlapped=0x0) returned 1 [0139.335] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.335] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xbfb0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xbfb0, lpOverlapped=0x0) returned 1 [0139.335] CloseHandle (hObject=0x80) returned 1 [0139.336] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroTextExtractor.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0139.336] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0139.336] __uncaught_exception () returned 0x70700 [0139.336] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0139.337] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroTextExtractor.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrotextextractor.exe"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroTextExtractor.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrotextextractor.exe.[rmail@rmail.cc].rmaile")) returned 1 [0139.337] ??_V@YAXPAX@Z () returned 0x1 [0139.344] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroTextExtractor.exe", dwFileAttributes=0x0) returned 0 [0139.344] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AcroTextExtractor.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\acrotextextractor.exe")) returned 0 [0139.344] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0139.344] wcsstr (_Str="Adobe.Reader.Dependencies.manifest", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0139.344] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest") returned 77 [0139.345] wcscmp (_String1="Adobe.Reader.Dependencies.manifest", _String2="!=How_recovery_files=!.txt") returned 1 [0139.345] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Adobe.Reader.Dependencies.manifest") returned 0x0 [0139.345] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest") returned 0x4d [0139.345] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobe.reader.dependencies.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0139.345] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x5c0, lpOverlapped=0x0) returned 1 [0139.378] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.378] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5d0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x5d0, lpOverlapped=0x0) returned 1 [0139.378] CloseHandle (hObject=0x80) returned 1 [0139.379] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest", _Mode="a", _ShFlag=64) returned 0x76b32960 [0139.379] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0139.379] __uncaught_exception () returned 0x70700 [0139.379] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0139.379] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobe.reader.dependencies.manifest"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobe.reader.dependencies.manifest.[rmail@rmail.cc].rmaile")) returned 1 [0139.380] ??_V@YAXPAX@Z () returned 0x1 [0139.388] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest", dwFileAttributes=0x0) returned 0 [0139.388] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Adobe.Reader.Dependencies.manifest" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobe.reader.dependencies.manifest")) returned 0 [0139.388] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0139.388] wcsstr (_Str="AdobeCollabSync.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0139.388] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeCollabSync.exe") returned 62 [0139.388] wcscmp (_String1="AdobeCollabSync.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0139.388] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeCollabSync.exe") returned 0x0 [0139.388] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeCollabSync.exe") returned 0x3e [0139.388] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeCollabSync.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobecollabsync.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0139.389] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0139.505] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.505] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0139.528] CloseHandle (hObject=0x80) returned 1 [0139.528] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeCollabSync.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0139.528] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0139.528] __uncaught_exception () returned 0x70700 [0139.529] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0139.529] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeCollabSync.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobecollabsync.exe"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeCollabSync.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobecollabsync.exe.[rmail@rmail.cc].rmaile")) returned 1 [0139.530] ??_V@YAXPAX@Z () returned 0x1 [0139.536] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeCollabSync.exe", dwFileAttributes=0x0) returned 0 [0139.536] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeCollabSync.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobecollabsync.exe")) returned 0 [0139.536] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0139.536] wcsstr (_Str="AdobeLinguistic.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0139.536] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeLinguistic.dll") returned 62 [0139.536] wcscmp (_String1="AdobeLinguistic.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0139.536] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeLinguistic.dll") returned 0x0 [0139.536] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeLinguistic.dll") returned 0x3e [0139.536] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeLinguistic.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobelinguistic.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0139.539] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xb8fa0, lpOverlapped=0x0) returned 1 [0139.642] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.642] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xb8fb0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xb8fb0, lpOverlapped=0x0) returned 1 [0139.645] CloseHandle (hObject=0x80) returned 1 [0139.645] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeLinguistic.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0139.646] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0139.646] __uncaught_exception () returned 0x70700 [0139.646] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0139.646] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeLinguistic.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobelinguistic.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeLinguistic.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobelinguistic.dll.[rmail@rmail.cc].rmaile")) returned 1 [0139.647] ??_V@YAXPAX@Z () returned 0x1 [0139.656] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeLinguistic.dll", dwFileAttributes=0x0) returned 0 [0139.656] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeLinguistic.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobelinguistic.dll")) returned 0 [0139.656] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0139.656] wcsstr (_Str="adoberfp.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0139.656] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\adoberfp.dll") returned 55 [0139.656] wcscmp (_String1="adoberfp.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0139.656] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="adoberfp.dll") returned 0x0 [0139.656] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\adoberfp.dll") returned 0x37 [0139.656] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\adoberfp.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adoberfp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0139.657] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x37398, lpOverlapped=0x0) returned 1 [0139.802] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0139.803] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x373a0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x373a0, lpOverlapped=0x0) returned 1 [0139.803] CloseHandle (hObject=0x80) returned 1 [0139.804] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\adoberfp.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0139.804] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0139.804] __uncaught_exception () returned 0x70700 [0139.804] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0139.804] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\adoberfp.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adoberfp.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\adoberfp.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adoberfp.dll.[rmail@rmail.cc].rmaile")) returned 1 [0139.805] ??_V@YAXPAX@Z () returned 0x1 [0139.812] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\adoberfp.dll", dwFileAttributes=0x0) returned 0 [0139.812] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\adoberfp.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adoberfp.dll")) returned 0 [0139.812] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0139.813] wcsstr (_Str="AdobeXMP.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0139.813] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll") returned 55 [0139.813] wcscmp (_String1="AdobeXMP.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0139.813] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeXMP.dll") returned 0x0 [0139.813] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll") returned 0x37 [0139.813] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobexmp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0139.813] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x4a598, lpOverlapped=0x0) returned 1 [0140.011] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.011] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x4a5a0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x4a5a0, lpOverlapped=0x0) returned 1 [0140.013] CloseHandle (hObject=0x80) returned 1 [0140.014] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0140.014] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0140.014] __uncaught_exception () returned 0x70700 [0140.014] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0140.014] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobexmp.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobexmp.dll.[rmail@rmail.cc].rmaile")) returned 1 [0140.015] ??_V@YAXPAX@Z () returned 0x1 [0140.032] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll", dwFileAttributes=0x0) returned 0 [0140.032] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\adobexmp.dll")) returned 0 [0140.032] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0140.032] wcsstr (_Str="AGM.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.032] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGM.dll") returned 50 [0140.032] wcscmp (_String1="AGM.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0140.032] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AGM.dll") returned 0x0 [0140.032] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGM.dll") returned 0x32 [0140.032] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGM.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\agm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0140.033] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0140.270] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.270] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0140.285] CloseHandle (hObject=0x80) returned 1 [0140.285] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGM.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0140.285] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0140.285] __uncaught_exception () returned 0x70700 [0140.285] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0140.307] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGM.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\agm.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGM.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\agm.dll.[rmail@rmail.cc].rmaile")) returned 1 [0140.307] ??_V@YAXPAX@Z () returned 0x1 [0140.313] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGM.dll", dwFileAttributes=0x0) returned 0 [0140.313] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGM.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\agm.dll")) returned 0 [0140.313] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0140.313] wcsstr (_Str="AGMGPUOptIn.ini", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.313] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini") returned 58 [0140.313] wcscmp (_String1="AGMGPUOptIn.ini", _String2="!=How_recovery_files=!.txt") returned 1 [0140.314] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AGMGPUOptIn.ini") returned 0x0 [0140.314] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini") returned 0x3a [0140.314] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\agmgpuoptin.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0140.315] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x6bf, lpOverlapped=0x0) returned 1 [0140.384] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.384] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x6c0, lpOverlapped=0x0) returned 1 [0140.384] CloseHandle (hObject=0x80) returned 1 [0140.385] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini", _Mode="a", _ShFlag=64) returned 0x76b32960 [0140.385] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0140.385] __uncaught_exception () returned 0x70700 [0140.385] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0140.385] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\agmgpuoptin.ini"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\agmgpuoptin.ini.[rmail@rmail.cc].rmaile")) returned 1 [0140.386] ??_V@YAXPAX@Z () returned 0x1 [0140.395] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini", dwFileAttributes=0x0) returned 0 [0140.395] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\agmgpuoptin.ini")) returned 0 [0140.396] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0140.396] wcsstr (_Str="ahclient.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.396] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ahclient.dll") returned 55 [0140.396] wcscmp (_String1="ahclient.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0140.396] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ahclient.dll") returned 0x0 [0140.396] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ahclient.dll") returned 0x37 [0140.396] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ahclient.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ahclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0140.397] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x366c8, lpOverlapped=0x0) returned 1 [0140.614] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.614] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x366d0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x366d0, lpOverlapped=0x0) returned 1 [0140.615] CloseHandle (hObject=0x80) returned 1 [0140.616] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ahclient.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0140.616] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0140.616] __uncaught_exception () returned 0x70700 [0140.616] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0140.616] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ahclient.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ahclient.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ahclient.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ahclient.dll.[rmail@rmail.cc].rmaile")) returned 1 [0140.617] ??_V@YAXPAX@Z () returned 0x1 [0140.623] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ahclient.dll", dwFileAttributes=0x0) returned 0 [0140.623] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ahclient.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ahclient.dll")) returned 0 [0140.623] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0140.623] wcsstr (_Str="AIR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.623] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR") returned 46 [0140.623] wcscmp (_String1=".", _String2="AIR") returned -1 [0140.623] wcscmp (_String1="..", _String2="AIR") returned -1 [0140.623] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR") returned 0x2e [0140.624] wcscat (in: _Dest=0x1adfb4, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\*" [0140.624] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\*", lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 0x44e428 [0140.690] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.690] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\.") returned 48 [0140.691] wcscmp (_String1=".", _String2=".") returned 0 [0140.691] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0140.691] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.691] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\..") returned 49 [0140.691] wcscmp (_String1=".", _String2="..") returned -1 [0140.691] wcscmp (_String1="..", _String2="..") returned 0 [0140.691] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0140.691] wcsstr (_Str="nppdf32.CAT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.691] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT") returned 58 [0140.691] wcscmp (_String1="nppdf32.CAT", _String2="!=How_recovery_files=!.txt") returned 1 [0140.691] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.CAT") returned 0x0 [0140.691] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT") returned 0x3a [0140.691] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0140.692] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0140.770] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.770] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0140.771] CloseHandle (hObject=0x84) returned 1 [0140.771] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT", _Mode="a", _ShFlag=64) returned 0x76b32960 [0140.771] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0140.772] __uncaught_exception () returned 0x70700 [0140.772] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0140.772] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cat"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cat.[rmail@rmail.cc].rmaile")) returned 1 [0140.773] ??_V@YAXPAX@Z () returned 0x1 [0140.791] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT", dwFileAttributes=0x0) returned 0 [0140.791] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CAT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cat")) returned 0 [0140.791] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0140.791] wcsstr (_Str="nppdf32.CHS", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.792] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS") returned 58 [0140.792] wcscmp (_String1="nppdf32.CHS", _String2="!=How_recovery_files=!.txt") returned 1 [0140.792] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.CHS") returned 0x0 [0140.792] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS") returned 0x3a [0140.792] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0140.793] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0140.830] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.830] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0140.830] CloseHandle (hObject=0x84) returned 1 [0140.831] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS", _Mode="a", _ShFlag=64) returned 0x76b32960 [0140.831] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0140.831] __uncaught_exception () returned 0x70700 [0140.831] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0140.832] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.chs"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.chs.[rmail@rmail.cc].rmaile")) returned 1 [0140.833] ??_V@YAXPAX@Z () returned 0x1 [0140.841] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS", dwFileAttributes=0x0) returned 0 [0140.841] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.chs")) returned 0 [0140.841] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0140.841] wcsstr (_Str="nppdf32.CHT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.841] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT") returned 58 [0140.841] wcscmp (_String1="nppdf32.CHT", _String2="!=How_recovery_files=!.txt") returned 1 [0140.841] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.CHT") returned 0x0 [0140.841] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT") returned 0x3a [0140.841] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cht"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0140.842] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0140.898] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.898] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0140.898] CloseHandle (hObject=0x84) returned 1 [0140.898] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT", _Mode="a", _ShFlag=64) returned 0x76b32960 [0140.898] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0140.899] __uncaught_exception () returned 0x70700 [0140.899] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0140.899] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cht"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cht.[rmail@rmail.cc].rmaile")) returned 1 [0140.899] ??_V@YAXPAX@Z () returned 0x1 [0140.907] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT", dwFileAttributes=0x0) returned 0 [0140.907] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CHT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cht")) returned 0 [0140.907] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0140.907] wcsstr (_Str="nppdf32.CZE", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.907] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE") returned 58 [0140.907] wcscmp (_String1="nppdf32.CZE", _String2="!=How_recovery_files=!.txt") returned 1 [0140.907] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.CZE") returned 0x0 [0140.907] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE") returned 0x3a [0140.907] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0140.908] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0140.987] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0140.987] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0140.987] CloseHandle (hObject=0x84) returned 1 [0140.988] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE", _Mode="a", _ShFlag=64) returned 0x76b32960 [0140.988] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0140.988] __uncaught_exception () returned 0x70700 [0140.988] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0140.989] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cze"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cze.[rmail@rmail.cc].rmaile")) returned 1 [0140.990] ??_V@YAXPAX@Z () returned 0x1 [0140.997] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE", dwFileAttributes=0x0) returned 0 [0140.997] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.CZE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.cze")) returned 0 [0140.997] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0140.998] wcsstr (_Str="nppdf32.DAN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0140.998] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN") returned 58 [0140.998] wcscmp (_String1="nppdf32.DAN", _String2="!=How_recovery_files=!.txt") returned 1 [0140.998] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.DAN") returned 0x0 [0140.998] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN") returned 0x3a [0140.998] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0140.998] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0141.148] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.148] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0141.149] CloseHandle (hObject=0x84) returned 1 [0141.149] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.149] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.149] __uncaught_exception () returned 0x70700 [0141.149] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.150] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.dan"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.dan.[rmail@rmail.cc].rmaile")) returned 1 [0141.150] ??_V@YAXPAX@Z () returned 0x1 [0141.159] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN", dwFileAttributes=0x0) returned 0 [0141.159] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DAN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.dan")) returned 0 [0141.159] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.159] wcsstr (_Str="nppdf32.DEU", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.159] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU") returned 58 [0141.159] wcscmp (_String1="nppdf32.DEU", _String2="!=How_recovery_files=!.txt") returned 1 [0141.159] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.DEU") returned 0x0 [0141.159] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU") returned 0x3a [0141.159] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.160] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x2000, lpOverlapped=0x0) returned 1 [0141.244] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.245] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x2010, lpOverlapped=0x0) returned 1 [0141.245] CloseHandle (hObject=0x84) returned 1 [0141.246] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.246] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.246] __uncaught_exception () returned 0x70700 [0141.246] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.246] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.deu"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.deu.[rmail@rmail.cc].rmaile")) returned 1 [0141.247] ??_V@YAXPAX@Z () returned 0x1 [0141.255] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU", dwFileAttributes=0x0) returned 0 [0141.255] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.DEU" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.deu")) returned 0 [0141.255] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.255] wcsstr (_Str="nppdf32.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.255] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.dll") returned 58 [0141.255] wcscmp (_String1="nppdf32.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0141.255] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.dll") returned 0x0 [0141.255] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.dll") returned 0x3a [0141.255] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.256] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x21190, lpOverlapped=0x0) returned 1 [0141.323] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.323] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x211a0, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x211a0, lpOverlapped=0x0) returned 1 [0141.324] CloseHandle (hObject=0x84) returned 1 [0141.324] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.324] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.324] __uncaught_exception () returned 0x70700 [0141.324] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.325] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.dll.[rmail@rmail.cc].rmaile")) returned 1 [0141.325] ??_V@YAXPAX@Z () returned 0x1 [0141.333] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.dll", dwFileAttributes=0x0) returned 0 [0141.333] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.dll")) returned 0 [0141.333] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.333] wcsstr (_Str="nppdf32.ESP", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.333] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP") returned 58 [0141.333] wcscmp (_String1="nppdf32.ESP", _String2="!=How_recovery_files=!.txt") returned 1 [0141.333] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.ESP") returned 0x0 [0141.333] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP") returned 0x3a [0141.334] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.esp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.335] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0141.400] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.400] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0141.400] CloseHandle (hObject=0x84) returned 1 [0141.400] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.400] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.401] __uncaught_exception () returned 0x70700 [0141.401] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.401] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.esp"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.esp.[rmail@rmail.cc].rmaile")) returned 1 [0141.402] ??_V@YAXPAX@Z () returned 0x1 [0141.408] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP", dwFileAttributes=0x0) returned 0 [0141.408] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ESP" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.esp")) returned 0 [0141.408] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.408] wcsstr (_Str="nppdf32.EUQ", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.408] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ") returned 58 [0141.408] wcscmp (_String1="nppdf32.EUQ", _String2="!=How_recovery_files=!.txt") returned 1 [0141.408] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.EUQ") returned 0x0 [0141.408] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ") returned 0x3a [0141.408] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.409] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0141.500] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.500] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0141.500] CloseHandle (hObject=0x84) returned 1 [0141.500] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.500] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.500] __uncaught_exception () returned 0x70700 [0141.500] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.501] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.euq"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.euq.[rmail@rmail.cc].rmaile")) returned 1 [0141.501] ??_V@YAXPAX@Z () returned 0x1 [0141.514] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ", dwFileAttributes=0x0) returned 0 [0141.514] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.EUQ" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.euq")) returned 0 [0141.514] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.514] wcsstr (_Str="nppdf32.FRA", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.514] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA") returned 58 [0141.514] wcscmp (_String1="nppdf32.FRA", _String2="!=How_recovery_files=!.txt") returned 1 [0141.514] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.FRA") returned 0x0 [0141.514] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA") returned 0x3a [0141.514] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.515] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x2000, lpOverlapped=0x0) returned 1 [0141.538] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.538] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x2010, lpOverlapped=0x0) returned 1 [0141.539] CloseHandle (hObject=0x84) returned 1 [0141.539] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.539] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.539] __uncaught_exception () returned 0x70700 [0141.539] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.539] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.fra"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.fra.[rmail@rmail.cc].rmaile")) returned 1 [0141.540] ??_V@YAXPAX@Z () returned 0x1 [0141.546] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA", dwFileAttributes=0x0) returned 0 [0141.546] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.FRA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.fra")) returned 0 [0141.546] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.546] wcsstr (_Str="nppdf32.HRV", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.546] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV") returned 58 [0141.546] wcscmp (_String1="nppdf32.HRV", _String2="!=How_recovery_files=!.txt") returned 1 [0141.546] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.HRV") returned 0x0 [0141.546] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV") returned 0x3a [0141.546] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.hrv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.546] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0141.653] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.653] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0141.653] CloseHandle (hObject=0x84) returned 1 [0141.653] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.654] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.654] __uncaught_exception () returned 0x70700 [0141.654] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.657] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.hrv"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.hrv.[rmail@rmail.cc].rmaile")) returned 1 [0141.657] ??_V@YAXPAX@Z () returned 0x1 [0141.668] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV", dwFileAttributes=0x0) returned 0 [0141.668] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HRV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.hrv")) returned 0 [0141.668] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.668] wcsstr (_Str="nppdf32.HUN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.668] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN") returned 58 [0141.668] wcscmp (_String1="nppdf32.HUN", _String2="!=How_recovery_files=!.txt") returned 1 [0141.668] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.HUN") returned 0x0 [0141.668] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN") returned 0x3a [0141.669] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.hun"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.669] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0141.681] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.681] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0141.682] CloseHandle (hObject=0x84) returned 1 [0141.682] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.682] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.682] __uncaught_exception () returned 0x70700 [0141.682] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.682] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.hun"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.hun.[rmail@rmail.cc].rmaile")) returned 1 [0141.683] ??_V@YAXPAX@Z () returned 0x1 [0141.691] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN", dwFileAttributes=0x0) returned 0 [0141.692] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.HUN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.hun")) returned 0 [0141.692] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.692] wcsstr (_Str="nppdf32.ITA", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.692] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA") returned 58 [0141.692] wcscmp (_String1="nppdf32.ITA", _String2="!=How_recovery_files=!.txt") returned 1 [0141.692] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.ITA") returned 0x0 [0141.692] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA") returned 0x3a [0141.692] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ita"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.693] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0141.718] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.718] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0141.718] CloseHandle (hObject=0x84) returned 1 [0141.718] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.718] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.718] __uncaught_exception () returned 0x70700 [0141.719] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.719] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ita"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ita.[rmail@rmail.cc].rmaile")) returned 1 [0141.720] ??_V@YAXPAX@Z () returned 0x1 [0141.728] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA", dwFileAttributes=0x0) returned 0 [0141.729] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.ITA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ita")) returned 0 [0141.729] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.729] wcsstr (_Str="nppdf32.JPN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.729] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN") returned 58 [0141.729] wcscmp (_String1="nppdf32.JPN", _String2="!=How_recovery_files=!.txt") returned 1 [0141.729] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.JPN") returned 0x0 [0141.729] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN") returned 0x3a [0141.729] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.jpn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.730] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1800, lpOverlapped=0x0) returned 1 [0141.823] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.823] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1810, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1810, lpOverlapped=0x0) returned 1 [0141.823] CloseHandle (hObject=0x84) returned 1 [0141.823] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.823] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.824] __uncaught_exception () returned 0x70700 [0141.824] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.824] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.jpn"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.jpn.[rmail@rmail.cc].rmaile")) returned 1 [0141.824] ??_V@YAXPAX@Z () returned 0x1 [0141.834] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN", dwFileAttributes=0x0) returned 0 [0141.835] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.JPN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.jpn")) returned 0 [0141.835] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.835] wcsstr (_Str="nppdf32.KOR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.835] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR") returned 58 [0141.835] wcscmp (_String1="nppdf32.KOR", _String2="!=How_recovery_files=!.txt") returned 1 [0141.835] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.KOR") returned 0x0 [0141.835] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR") returned 0x3a [0141.835] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.kor"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.836] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0141.950] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0141.951] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0141.951] CloseHandle (hObject=0x84) returned 1 [0141.951] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR", _Mode="a", _ShFlag=64) returned 0x76b32960 [0141.951] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0141.951] __uncaught_exception () returned 0x70700 [0141.951] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0141.952] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.kor"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.kor.[rmail@rmail.cc].rmaile")) returned 1 [0141.952] ??_V@YAXPAX@Z () returned 0x1 [0141.960] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR", dwFileAttributes=0x0) returned 0 [0141.960] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.KOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.kor")) returned 0 [0141.960] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0141.960] wcsstr (_Str="nppdf32.NLD", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0141.960] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD") returned 58 [0141.960] wcscmp (_String1="nppdf32.NLD", _String2="!=How_recovery_files=!.txt") returned 1 [0141.961] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.NLD") returned 0x0 [0141.961] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD") returned 0x3a [0141.961] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0141.961] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.028] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.028] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.028] CloseHandle (hObject=0x84) returned 1 [0142.028] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.029] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.029] __uncaught_exception () returned 0x70700 [0142.029] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.029] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.nld"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.nld.[rmail@rmail.cc].rmaile")) returned 1 [0142.030] ??_V@YAXPAX@Z () returned 0x1 [0142.037] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD", dwFileAttributes=0x0) returned 0 [0142.037] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NLD" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.nld")) returned 0 [0142.037] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.037] wcsstr (_Str="nppdf32.NOR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.037] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR") returned 58 [0142.037] wcscmp (_String1="nppdf32.NOR", _String2="!=How_recovery_files=!.txt") returned 1 [0142.037] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.NOR") returned 0x0 [0142.037] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR") returned 0x3a [0142.037] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.nor"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.037] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.072] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.072] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.073] CloseHandle (hObject=0x84) returned 1 [0142.073] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.073] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.073] __uncaught_exception () returned 0x70700 [0142.074] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.074] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.nor"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.nor.[rmail@rmail.cc].rmaile")) returned 1 [0142.075] ??_V@YAXPAX@Z () returned 0x1 [0142.083] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR", dwFileAttributes=0x0) returned 0 [0142.083] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.NOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.nor")) returned 0 [0142.083] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.083] wcsstr (_Str="nppdf32.POL", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.083] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL") returned 58 [0142.083] wcscmp (_String1="nppdf32.POL", _String2="!=How_recovery_files=!.txt") returned 1 [0142.083] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.POL") returned 0x0 [0142.083] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL") returned 0x3a [0142.083] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.pol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.084] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x2000, lpOverlapped=0x0) returned 1 [0142.101] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.101] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x2010, lpOverlapped=0x0) returned 1 [0142.101] CloseHandle (hObject=0x84) returned 1 [0142.101] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.102] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.102] __uncaught_exception () returned 0x70700 [0142.102] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.102] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.pol"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.pol.[rmail@rmail.cc].rmaile")) returned 1 [0142.102] ??_V@YAXPAX@Z () returned 0x1 [0142.112] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL", dwFileAttributes=0x0) returned 0 [0142.113] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.POL" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.pol")) returned 0 [0142.113] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.113] wcsstr (_Str="nppdf32.PTB", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.113] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB") returned 58 [0142.113] wcscmp (_String1="nppdf32.PTB", _String2="!=How_recovery_files=!.txt") returned 1 [0142.113] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.PTB") returned 0x0 [0142.113] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB") returned 0x3a [0142.113] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ptb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.113] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.155] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.155] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.156] CloseHandle (hObject=0x84) returned 1 [0142.156] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.156] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.156] __uncaught_exception () returned 0x70700 [0142.156] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.156] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ptb"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ptb.[rmail@rmail.cc].rmaile")) returned 1 [0142.165] ??_V@YAXPAX@Z () returned 0x1 [0142.173] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB", dwFileAttributes=0x0) returned 0 [0142.173] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.PTB" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ptb")) returned 0 [0142.173] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.173] wcsstr (_Str="nppdf32.RUM", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.174] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM") returned 58 [0142.174] wcscmp (_String1="nppdf32.RUM", _String2="!=How_recovery_files=!.txt") returned 1 [0142.174] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.RUM") returned 0x0 [0142.174] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM") returned 0x3a [0142.174] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.rum"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.174] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x2000, lpOverlapped=0x0) returned 1 [0142.189] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.189] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x2010, lpOverlapped=0x0) returned 1 [0142.190] CloseHandle (hObject=0x84) returned 1 [0142.190] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.190] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.190] __uncaught_exception () returned 0x70700 [0142.190] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.190] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.rum"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.rum.[rmail@rmail.cc].rmaile")) returned 1 [0142.191] ??_V@YAXPAX@Z () returned 0x1 [0142.199] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM", dwFileAttributes=0x0) returned 0 [0142.200] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUM" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.rum")) returned 0 [0142.200] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.200] wcsstr (_Str="nppdf32.RUS", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.200] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS") returned 58 [0142.200] wcscmp (_String1="nppdf32.RUS", _String2="!=How_recovery_files=!.txt") returned 1 [0142.200] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.RUS") returned 0x0 [0142.200] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS") returned 0x3a [0142.200] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.rus"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.200] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.231] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.231] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.231] CloseHandle (hObject=0x84) returned 1 [0142.231] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.231] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.231] __uncaught_exception () returned 0x70700 [0142.231] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.232] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.rus"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.rus.[rmail@rmail.cc].rmaile")) returned 1 [0142.232] ??_V@YAXPAX@Z () returned 0x1 [0142.240] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS", dwFileAttributes=0x0) returned 0 [0142.240] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.RUS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.rus")) returned 0 [0142.240] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.241] wcsstr (_Str="nppdf32.SKY", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.241] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY") returned 58 [0142.241] wcscmp (_String1="nppdf32.SKY", _String2="!=How_recovery_files=!.txt") returned 1 [0142.241] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.SKY") returned 0x0 [0142.241] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY") returned 0x3a [0142.241] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.241] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.301] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.301] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.301] CloseHandle (hObject=0x84) returned 1 [0142.301] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.301] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.301] __uncaught_exception () returned 0x70700 [0142.301] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.302] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.sky"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.sky.[rmail@rmail.cc].rmaile")) returned 1 [0142.302] ??_V@YAXPAX@Z () returned 0x1 [0142.309] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY", dwFileAttributes=0x0) returned 0 [0142.309] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SKY" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.sky")) returned 0 [0142.309] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.309] wcsstr (_Str="nppdf32.SLV", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.309] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV") returned 58 [0142.309] wcscmp (_String1="nppdf32.SLV", _String2="!=How_recovery_files=!.txt") returned 1 [0142.309] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.SLV") returned 0x0 [0142.309] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV") returned 0x3a [0142.310] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.slv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.311] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.345] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.345] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.345] CloseHandle (hObject=0x84) returned 1 [0142.345] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.345] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.346] __uncaught_exception () returned 0x70700 [0142.346] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.346] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.slv"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.slv.[rmail@rmail.cc].rmaile")) returned 1 [0142.347] ??_V@YAXPAX@Z () returned 0x1 [0142.354] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV", dwFileAttributes=0x0) returned 0 [0142.354] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SLV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.slv")) returned 0 [0142.355] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.355] wcsstr (_Str="nppdf32.SUO", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.355] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO") returned 58 [0142.355] wcscmp (_String1="nppdf32.SUO", _String2="!=How_recovery_files=!.txt") returned 1 [0142.355] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.SUO") returned 0x0 [0142.355] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO") returned 0x3a [0142.355] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.355] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.392] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.392] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.393] CloseHandle (hObject=0x84) returned 1 [0142.393] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.393] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.393] __uncaught_exception () returned 0x70700 [0142.393] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.394] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.suo"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.suo.[rmail@rmail.cc].rmaile")) returned 1 [0142.394] ??_V@YAXPAX@Z () returned 0x1 [0142.402] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO", dwFileAttributes=0x0) returned 0 [0142.402] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SUO" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.suo")) returned 0 [0142.403] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.403] wcsstr (_Str="nppdf32.SVE", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.403] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE") returned 58 [0142.403] wcscmp (_String1="nppdf32.SVE", _String2="!=How_recovery_files=!.txt") returned 1 [0142.403] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.SVE") returned 0x0 [0142.403] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE") returned 0x3a [0142.403] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.403] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.531] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.531] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.532] CloseHandle (hObject=0x84) returned 1 [0142.532] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.532] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.532] __uncaught_exception () returned 0x70700 [0142.532] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.532] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.sve"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.sve.[rmail@rmail.cc].rmaile")) returned 1 [0142.557] ??_V@YAXPAX@Z () returned 0x1 [0142.563] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE", dwFileAttributes=0x0) returned 0 [0142.563] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.SVE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.sve")) returned 0 [0142.563] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.563] wcsstr (_Str="nppdf32.TUR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.563] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR") returned 58 [0142.563] wcscmp (_String1="nppdf32.TUR", _String2="!=How_recovery_files=!.txt") returned 1 [0142.563] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.TUR") returned 0x0 [0142.563] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR") returned 0x3a [0142.563] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.tur"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.564] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.578] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.579] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.579] CloseHandle (hObject=0x84) returned 1 [0142.579] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.579] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.579] __uncaught_exception () returned 0x70700 [0142.579] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.579] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.tur"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.tur.[rmail@rmail.cc].rmaile")) returned 1 [0142.580] ??_V@YAXPAX@Z () returned 0x1 [0142.586] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR", dwFileAttributes=0x0) returned 0 [0142.586] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.TUR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.tur")) returned 0 [0142.586] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0142.586] wcsstr (_Str="nppdf32.UKR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.586] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR") returned 58 [0142.586] wcscmp (_String1="nppdf32.UKR", _String2="!=How_recovery_files=!.txt") returned 1 [0142.586] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.UKR") returned 0x0 [0142.586] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR") returned 0x3a [0142.586] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ukr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0142.587] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0142.624] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.624] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0142.624] CloseHandle (hObject=0x84) returned 1 [0142.624] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.624] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.625] __uncaught_exception () returned 0x70700 [0142.625] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.625] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ukr"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ukr.[rmail@rmail.cc].rmaile")) returned 1 [0142.626] ??_V@YAXPAX@Z () returned 0x1 [0142.638] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR", dwFileAttributes=0x0) returned 0 [0142.638] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\nppdf32.UKR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\air\\nppdf32.ukr")) returned 0 [0142.638] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 0 [0142.638] FindClose (in: hFindFile=0x44e428 | out: hFindFile=0x44e428) returned 1 [0142.638] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR") returned 0x2e [0142.638] strlen (_Str="${KEY}") returned 0x6 [0142.638] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0142.638] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0142.638] strlen (_Str="${CODE}") returned 0x7 [0142.638] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0142.638] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0142.638] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0142.638] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AIR\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0142.641] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0142.641] __uncaught_exception () returned 0x70700 [0142.641] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.642] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0142.643] wcsstr (_Str="authplay.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.643] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\authplay.dll") returned 55 [0142.643] wcscmp (_String1="authplay.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0142.643] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="authplay.dll") returned 0x0 [0142.643] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\authplay.dll") returned 0x37 [0142.643] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\authplay.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\authplay.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0142.643] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0142.834] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.834] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0142.852] CloseHandle (hObject=0x80) returned 1 [0142.852] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\authplay.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.852] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.852] __uncaught_exception () returned 0x70700 [0142.852] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.861] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\authplay.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\authplay.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\authplay.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\authplay.dll.[rmail@rmail.cc].rmaile")) returned 1 [0142.861] ??_V@YAXPAX@Z () returned 0x1 [0142.869] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\authplay.dll", dwFileAttributes=0x0) returned 0 [0142.869] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\authplay.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\authplay.dll")) returned 0 [0142.869] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0142.869] wcsstr (_Str="AXE8SharedExpat.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.869] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXE8SharedExpat.dll") returned 62 [0142.869] wcscmp (_String1="AXE8SharedExpat.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0142.869] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AXE8SharedExpat.dll") returned 0x0 [0142.869] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXE8SharedExpat.dll") returned 0x3e [0142.869] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXE8SharedExpat.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\axe8sharedexpat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0142.870] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x2a9a0, lpOverlapped=0x0) returned 1 [0142.924] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0142.924] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2a9b0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x2a9b0, lpOverlapped=0x0) returned 1 [0142.925] CloseHandle (hObject=0x80) returned 1 [0142.925] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXE8SharedExpat.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0142.925] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0142.926] __uncaught_exception () returned 0x70700 [0142.926] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0142.926] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXE8SharedExpat.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\axe8sharedexpat.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXE8SharedExpat.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\axe8sharedexpat.dll.[rmail@rmail.cc].rmaile")) returned 1 [0142.926] ??_V@YAXPAX@Z () returned 0x1 [0142.935] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXE8SharedExpat.dll", dwFileAttributes=0x0) returned 0 [0142.935] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXE8SharedExpat.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\axe8sharedexpat.dll")) returned 0 [0142.935] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0142.935] wcsstr (_Str="AXSLE.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0142.935] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXSLE.dll") returned 52 [0142.935] wcscmp (_String1="AXSLE.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0142.935] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AXSLE.dll") returned 0x0 [0142.935] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXSLE.dll") returned 0x34 [0142.935] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXSLE.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\axsle.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0142.936] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x91590, lpOverlapped=0x0) returned 1 [0143.141] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.141] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x915a0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x915a0, lpOverlapped=0x0) returned 1 [0143.143] CloseHandle (hObject=0x80) returned 1 [0143.143] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXSLE.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0143.144] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0143.144] __uncaught_exception () returned 0x70700 [0143.144] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0143.144] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXSLE.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\axsle.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXSLE.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\axsle.dll.[rmail@rmail.cc].rmaile")) returned 1 [0143.145] ??_V@YAXPAX@Z () returned 0x1 [0143.153] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXSLE.dll", dwFileAttributes=0x0) returned 0 [0143.153] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\AXSLE.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\axsle.dll")) returned 0 [0143.153] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0143.153] wcsstr (_Str="BIB.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.153] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIB.dll") returned 50 [0143.153] wcscmp (_String1="BIB.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0143.153] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="BIB.dll") returned 0x0 [0143.153] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIB.dll") returned 0x32 [0143.153] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIB.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\bib.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0143.154] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x1af88, lpOverlapped=0x0) returned 1 [0143.282] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.282] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1af90, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x1af90, lpOverlapped=0x0) returned 1 [0143.282] CloseHandle (hObject=0x80) returned 1 [0143.282] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIB.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0143.282] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0143.282] __uncaught_exception () returned 0x70700 [0143.282] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0143.283] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIB.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\bib.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIB.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\bib.dll.[rmail@rmail.cc].rmaile")) returned 1 [0143.283] ??_V@YAXPAX@Z () returned 0x1 [0143.290] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIB.dll", dwFileAttributes=0x0) returned 0 [0143.290] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIB.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\bib.dll")) returned 0 [0143.290] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0143.290] wcsstr (_Str="BIBUtils.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.290] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll") returned 55 [0143.290] wcscmp (_String1="BIBUtils.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0143.290] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="BIBUtils.dll") returned 0x0 [0143.291] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll") returned 0x37 [0143.291] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\bibutils.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0143.291] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x25b98, lpOverlapped=0x0) returned 1 [0143.544] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.544] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x25ba0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x25ba0, lpOverlapped=0x0) returned 1 [0143.545] CloseHandle (hObject=0x80) returned 1 [0143.545] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0143.545] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0143.546] __uncaught_exception () returned 0x70700 [0143.546] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0143.546] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\bibutils.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\bibutils.dll.[rmail@rmail.cc].rmaile")) returned 1 [0143.547] ??_V@YAXPAX@Z () returned 0x1 [0143.554] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll", dwFileAttributes=0x0) returned 0 [0143.554] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\bibutils.dll")) returned 0 [0143.554] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0143.554] wcsstr (_Str="Browser", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.554] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser") returned 50 [0143.555] wcscmp (_String1=".", _String2="Browser") returned -1 [0143.555] wcscmp (_String1="..", _String2="Browser") returned -1 [0143.555] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser") returned 0x32 [0143.555] wcscat (in: _Dest=0x1adfb4, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\*" [0143.555] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\*", lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 0x44e428 [0143.571] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.572] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\.") returned 52 [0143.572] wcscmp (_String1=".", _String2=".") returned 0 [0143.572] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0143.572] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.572] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\..") returned 53 [0143.572] wcscmp (_String1=".", _String2="..") returned -1 [0143.572] wcscmp (_String1="..", _String2="..") returned 0 [0143.572] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0143.572] wcsstr (_Str="nppdf32.CAT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.572] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT") returned 62 [0143.572] wcscmp (_String1="nppdf32.CAT", _String2="!=How_recovery_files=!.txt") returned 1 [0143.572] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.CAT") returned 0x0 [0143.572] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT") returned 0x3e [0143.572] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0143.573] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0143.669] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.669] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0143.669] CloseHandle (hObject=0x84) returned 1 [0143.669] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT", _Mode="a", _ShFlag=64) returned 0x76b32960 [0143.670] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0143.670] __uncaught_exception () returned 0x70700 [0143.670] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0143.671] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cat"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cat.[rmail@rmail.cc].rmaile")) returned 1 [0143.672] ??_V@YAXPAX@Z () returned 0x1 [0143.686] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT", dwFileAttributes=0x0) returned 0 [0143.687] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CAT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cat")) returned 0 [0143.687] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0143.687] wcsstr (_Str="nppdf32.CHS", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.687] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS") returned 62 [0143.687] wcscmp (_String1="nppdf32.CHS", _String2="!=How_recovery_files=!.txt") returned 1 [0143.687] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.CHS") returned 0x0 [0143.687] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS") returned 0x3e [0143.687] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0143.688] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0143.732] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.732] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0143.732] CloseHandle (hObject=0x84) returned 1 [0143.733] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS", _Mode="a", _ShFlag=64) returned 0x76b32960 [0143.733] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0143.733] __uncaught_exception () returned 0x70700 [0143.733] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0143.733] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.chs"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.chs.[rmail@rmail.cc].rmaile")) returned 1 [0143.734] ??_V@YAXPAX@Z () returned 0x1 [0143.742] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS", dwFileAttributes=0x0) returned 0 [0143.742] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.chs")) returned 0 [0143.742] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0143.742] wcsstr (_Str="nppdf32.CHT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.742] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT") returned 62 [0143.742] wcscmp (_String1="nppdf32.CHT", _String2="!=How_recovery_files=!.txt") returned 1 [0143.742] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.CHT") returned 0x0 [0143.742] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT") returned 0x3e [0143.742] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cht"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0143.743] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0143.791] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.791] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0143.791] CloseHandle (hObject=0x84) returned 1 [0143.791] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT", _Mode="a", _ShFlag=64) returned 0x76b32960 [0143.791] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0143.791] __uncaught_exception () returned 0x70700 [0143.791] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0143.792] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cht"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cht.[rmail@rmail.cc].rmaile")) returned 1 [0143.793] ??_V@YAXPAX@Z () returned 0x1 [0143.800] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT", dwFileAttributes=0x0) returned 0 [0143.801] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CHT" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cht")) returned 0 [0143.801] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0143.801] wcsstr (_Str="nppdf32.CZE", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.801] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE") returned 62 [0143.801] wcscmp (_String1="nppdf32.CZE", _String2="!=How_recovery_files=!.txt") returned 1 [0143.801] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.CZE") returned 0x0 [0143.801] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE") returned 0x3e [0143.801] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0143.802] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0143.830] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0143.831] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0143.831] CloseHandle (hObject=0x84) returned 1 [0143.831] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE", _Mode="a", _ShFlag=64) returned 0x76b32960 [0143.832] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0143.832] __uncaught_exception () returned 0x70700 [0143.832] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0143.832] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cze"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cze.[rmail@rmail.cc].rmaile")) returned 1 [0143.833] ??_V@YAXPAX@Z () returned 0x1 [0143.847] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE", dwFileAttributes=0x0) returned 0 [0143.848] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.CZE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.cze")) returned 0 [0143.848] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0143.848] wcsstr (_Str="nppdf32.DAN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0143.848] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN") returned 62 [0143.848] wcscmp (_String1="nppdf32.DAN", _String2="!=How_recovery_files=!.txt") returned 1 [0143.848] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.DAN") returned 0x0 [0143.848] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN") returned 0x3e [0143.848] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0143.849] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0144.144] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.144] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0144.144] CloseHandle (hObject=0x84) returned 1 [0144.144] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.145] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.145] __uncaught_exception () returned 0x70700 [0144.145] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.145] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dan"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dan.[rmail@rmail.cc].rmaile")) returned 1 [0144.146] ??_V@YAXPAX@Z () returned 0x1 [0144.154] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN", dwFileAttributes=0x0) returned 0 [0144.154] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DAN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dan")) returned 0 [0144.154] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.154] wcsstr (_Str="nppdf32.DEU", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.154] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU") returned 62 [0144.154] wcscmp (_String1="nppdf32.DEU", _String2="!=How_recovery_files=!.txt") returned 1 [0144.154] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.DEU") returned 0x0 [0144.154] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU") returned 0x3e [0144.154] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.156] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x2000, lpOverlapped=0x0) returned 1 [0144.222] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.222] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x2010, lpOverlapped=0x0) returned 1 [0144.223] CloseHandle (hObject=0x84) returned 1 [0144.223] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.224] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.224] __uncaught_exception () returned 0x70700 [0144.224] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.224] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.deu"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.deu.[rmail@rmail.cc].rmaile")) returned 1 [0144.225] ??_V@YAXPAX@Z () returned 0x1 [0144.236] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU", dwFileAttributes=0x0) returned 0 [0144.236] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.DEU" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.deu")) returned 0 [0144.237] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.237] wcsstr (_Str="nppdf32.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.237] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.dll") returned 62 [0144.237] wcscmp (_String1="nppdf32.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0144.237] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.dll") returned 0x0 [0144.237] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.dll") returned 0x3e [0144.237] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.238] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x21190, lpOverlapped=0x0) returned 1 [0144.281] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.281] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x211a0, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x211a0, lpOverlapped=0x0) returned 1 [0144.282] CloseHandle (hObject=0x84) returned 1 [0144.282] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.282] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.282] __uncaught_exception () returned 0x70700 [0144.282] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.283] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dll.[rmail@rmail.cc].rmaile")) returned 1 [0144.283] ??_V@YAXPAX@Z () returned 0x1 [0144.291] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.dll", dwFileAttributes=0x0) returned 0 [0144.292] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.dll")) returned 0 [0144.292] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.292] wcsstr (_Str="nppdf32.ESP", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.292] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP") returned 62 [0144.292] wcscmp (_String1="nppdf32.ESP", _String2="!=How_recovery_files=!.txt") returned 1 [0144.292] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.ESP") returned 0x0 [0144.292] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP") returned 0x3e [0144.292] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.esp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.293] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0144.398] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.398] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0144.398] CloseHandle (hObject=0x84) returned 1 [0144.398] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.398] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.398] __uncaught_exception () returned 0x70700 [0144.399] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.399] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.esp"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.esp.[rmail@rmail.cc].rmaile")) returned 1 [0144.460] ??_V@YAXPAX@Z () returned 0x1 [0144.469] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP", dwFileAttributes=0x0) returned 0 [0144.470] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ESP" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.esp")) returned 0 [0144.470] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.470] wcsstr (_Str="nppdf32.EUQ", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.470] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ") returned 62 [0144.470] wcscmp (_String1="nppdf32.EUQ", _String2="!=How_recovery_files=!.txt") returned 1 [0144.470] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.EUQ") returned 0x0 [0144.470] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ") returned 0x3e [0144.470] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.471] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0144.517] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.517] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0144.517] CloseHandle (hObject=0x84) returned 1 [0144.517] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.518] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.518] __uncaught_exception () returned 0x70700 [0144.518] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.518] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.euq"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.euq.[rmail@rmail.cc].rmaile")) returned 1 [0144.519] ??_V@YAXPAX@Z () returned 0x1 [0144.525] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ", dwFileAttributes=0x0) returned 0 [0144.525] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.EUQ" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.euq")) returned 0 [0144.525] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.525] wcsstr (_Str="nppdf32.FRA", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.525] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA") returned 62 [0144.525] wcscmp (_String1="nppdf32.FRA", _String2="!=How_recovery_files=!.txt") returned 1 [0144.525] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.FRA") returned 0x0 [0144.525] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA") returned 0x3e [0144.525] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.526] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x2000, lpOverlapped=0x0) returned 1 [0144.635] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.635] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x2010, lpOverlapped=0x0) returned 1 [0144.636] CloseHandle (hObject=0x84) returned 1 [0144.637] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.637] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.637] __uncaught_exception () returned 0x70700 [0144.637] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.637] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.fra"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.fra.[rmail@rmail.cc].rmaile")) returned 1 [0144.638] ??_V@YAXPAX@Z () returned 0x1 [0144.646] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA", dwFileAttributes=0x0) returned 0 [0144.647] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.FRA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.fra")) returned 0 [0144.647] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.647] wcsstr (_Str="nppdf32.HRV", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.647] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV") returned 62 [0144.647] wcscmp (_String1="nppdf32.HRV", _String2="!=How_recovery_files=!.txt") returned 1 [0144.647] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.HRV") returned 0x0 [0144.647] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV") returned 0x3e [0144.647] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hrv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.648] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0144.746] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.746] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0144.746] CloseHandle (hObject=0x84) returned 1 [0144.746] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.747] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.747] __uncaught_exception () returned 0x70700 [0144.747] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.747] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hrv"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hrv.[rmail@rmail.cc].rmaile")) returned 1 [0144.748] ??_V@YAXPAX@Z () returned 0x1 [0144.756] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV", dwFileAttributes=0x0) returned 0 [0144.756] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HRV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hrv")) returned 0 [0144.756] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.756] wcsstr (_Str="nppdf32.HUN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.756] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN") returned 62 [0144.756] wcscmp (_String1="nppdf32.HUN", _String2="!=How_recovery_files=!.txt") returned 1 [0144.756] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.HUN") returned 0x0 [0144.756] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN") returned 0x3e [0144.757] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hun"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.757] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0144.868] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.868] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0144.869] CloseHandle (hObject=0x84) returned 1 [0144.869] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.869] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.869] __uncaught_exception () returned 0x70700 [0144.869] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.870] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hun"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hun.[rmail@rmail.cc].rmaile")) returned 1 [0144.870] ??_V@YAXPAX@Z () returned 0x1 [0144.878] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN", dwFileAttributes=0x0) returned 0 [0144.879] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.HUN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.hun")) returned 0 [0144.879] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.879] wcsstr (_Str="nppdf32.ITA", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.879] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA") returned 62 [0144.879] wcscmp (_String1="nppdf32.ITA", _String2="!=How_recovery_files=!.txt") returned 1 [0144.879] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.ITA") returned 0x0 [0144.879] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA") returned 0x3e [0144.879] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ita"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.880] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0144.951] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.951] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0144.951] CloseHandle (hObject=0x84) returned 1 [0144.951] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.951] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.951] __uncaught_exception () returned 0x70700 [0144.951] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.952] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ita"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ita.[rmail@rmail.cc].rmaile")) returned 1 [0144.952] ??_V@YAXPAX@Z () returned 0x1 [0144.960] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA", dwFileAttributes=0x0) returned 0 [0144.960] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.ITA" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ita")) returned 0 [0144.961] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.961] wcsstr (_Str="nppdf32.JPN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.961] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN") returned 62 [0144.961] wcscmp (_String1="nppdf32.JPN", _String2="!=How_recovery_files=!.txt") returned 1 [0144.961] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.JPN") returned 0x0 [0144.961] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN") returned 0x3e [0144.961] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.jpn"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.961] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1800, lpOverlapped=0x0) returned 1 [0144.975] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0144.975] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1810, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1810, lpOverlapped=0x0) returned 1 [0144.976] CloseHandle (hObject=0x84) returned 1 [0144.976] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN", _Mode="a", _ShFlag=64) returned 0x76b32960 [0144.976] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0144.976] __uncaught_exception () returned 0x70700 [0144.976] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0144.976] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.jpn"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.jpn.[rmail@rmail.cc].rmaile")) returned 1 [0144.977] ??_V@YAXPAX@Z () returned 0x1 [0144.985] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN", dwFileAttributes=0x0) returned 0 [0144.985] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.JPN" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.jpn")) returned 0 [0144.985] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0144.985] wcsstr (_Str="nppdf32.KOR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0144.985] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR") returned 62 [0144.985] wcscmp (_String1="nppdf32.KOR", _String2="!=How_recovery_files=!.txt") returned 1 [0144.985] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.KOR") returned 0x0 [0144.986] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR") returned 0x3e [0144.986] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.kor"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0144.986] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0145.056] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.056] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0145.056] CloseHandle (hObject=0x84) returned 1 [0145.056] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.057] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.057] __uncaught_exception () returned 0x70700 [0145.057] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.057] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.kor"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.kor.[rmail@rmail.cc].rmaile")) returned 1 [0145.057] ??_V@YAXPAX@Z () returned 0x1 [0145.066] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR", dwFileAttributes=0x0) returned 0 [0145.066] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.KOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.kor")) returned 0 [0145.067] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.067] wcsstr (_Str="nppdf32.NLD", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.067] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD") returned 62 [0145.067] wcscmp (_String1="nppdf32.NLD", _String2="!=How_recovery_files=!.txt") returned 1 [0145.067] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.NLD") returned 0x0 [0145.067] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD") returned 0x3e [0145.067] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.067] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0145.134] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.134] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0145.135] CloseHandle (hObject=0x84) returned 1 [0145.135] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.135] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.135] __uncaught_exception () returned 0x70700 [0145.135] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.135] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nld"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nld.[rmail@rmail.cc].rmaile")) returned 1 [0145.136] ??_V@YAXPAX@Z () returned 0x1 [0145.143] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD", dwFileAttributes=0x0) returned 0 [0145.143] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NLD" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nld")) returned 0 [0145.143] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.143] wcsstr (_Str="nppdf32.NOR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.143] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR") returned 62 [0145.143] wcscmp (_String1="nppdf32.NOR", _String2="!=How_recovery_files=!.txt") returned 1 [0145.143] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.NOR") returned 0x0 [0145.143] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR") returned 0x3e [0145.143] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nor"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.144] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0145.154] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.154] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0145.154] CloseHandle (hObject=0x84) returned 1 [0145.155] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.155] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.155] __uncaught_exception () returned 0x70700 [0145.155] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.158] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nor"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nor.[rmail@rmail.cc].rmaile")) returned 1 [0145.158] ??_V@YAXPAX@Z () returned 0x1 [0145.164] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR", dwFileAttributes=0x0) returned 0 [0145.164] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.NOR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.nor")) returned 0 [0145.164] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.165] wcsstr (_Str="nppdf32.POL", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.165] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL") returned 62 [0145.165] wcscmp (_String1="nppdf32.POL", _String2="!=How_recovery_files=!.txt") returned 1 [0145.165] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.POL") returned 0x0 [0145.165] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL") returned 0x3e [0145.165] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.pol"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.166] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x2000, lpOverlapped=0x0) returned 1 [0145.411] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.411] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x2010, lpOverlapped=0x0) returned 1 [0145.412] CloseHandle (hObject=0x84) returned 1 [0145.412] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.412] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.412] __uncaught_exception () returned 0x70700 [0145.412] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.413] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.pol"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.pol.[rmail@rmail.cc].rmaile")) returned 1 [0145.413] ??_V@YAXPAX@Z () returned 0x1 [0145.422] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL", dwFileAttributes=0x0) returned 0 [0145.422] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.POL" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.pol")) returned 0 [0145.422] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.422] wcsstr (_Str="nppdf32.PTB", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.422] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB") returned 62 [0145.422] wcscmp (_String1="nppdf32.PTB", _String2="!=How_recovery_files=!.txt") returned 1 [0145.422] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.PTB") returned 0x0 [0145.422] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB") returned 0x3e [0145.423] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ptb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.423] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0145.485] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.485] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0145.485] CloseHandle (hObject=0x84) returned 1 [0145.485] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.485] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.485] __uncaught_exception () returned 0x70700 [0145.486] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.486] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ptb"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ptb.[rmail@rmail.cc].rmaile")) returned 1 [0145.487] ??_V@YAXPAX@Z () returned 0x1 [0145.496] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB", dwFileAttributes=0x0) returned 0 [0145.496] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.PTB" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ptb")) returned 0 [0145.496] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.496] wcsstr (_Str="nppdf32.RUM", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.496] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM") returned 62 [0145.496] wcscmp (_String1="nppdf32.RUM", _String2="!=How_recovery_files=!.txt") returned 1 [0145.496] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.RUM") returned 0x0 [0145.496] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM") returned 0x3e [0145.496] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rum"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.497] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x2000, lpOverlapped=0x0) returned 1 [0145.533] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.533] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x2010, lpOverlapped=0x0) returned 1 [0145.533] CloseHandle (hObject=0x84) returned 1 [0145.533] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.534] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.534] __uncaught_exception () returned 0x70700 [0145.534] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.534] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rum"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rum.[rmail@rmail.cc].rmaile")) returned 1 [0145.534] ??_V@YAXPAX@Z () returned 0x1 [0145.541] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM", dwFileAttributes=0x0) returned 0 [0145.541] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUM" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rum")) returned 0 [0145.541] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.541] wcsstr (_Str="nppdf32.RUS", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.541] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS") returned 62 [0145.541] wcscmp (_String1="nppdf32.RUS", _String2="!=How_recovery_files=!.txt") returned 1 [0145.541] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.RUS") returned 0x0 [0145.541] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS") returned 0x3e [0145.541] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rus"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.541] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0145.567] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.568] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0145.568] CloseHandle (hObject=0x84) returned 1 [0145.568] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.568] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.568] __uncaught_exception () returned 0x70700 [0145.568] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.568] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rus"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rus.[rmail@rmail.cc].rmaile")) returned 1 [0145.569] ??_V@YAXPAX@Z () returned 0x1 [0145.575] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS", dwFileAttributes=0x0) returned 0 [0145.575] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.RUS" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.rus")) returned 0 [0145.575] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.575] wcsstr (_Str="nppdf32.SKY", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.575] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY") returned 62 [0145.575] wcscmp (_String1="nppdf32.SKY", _String2="!=How_recovery_files=!.txt") returned 1 [0145.575] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.SKY") returned 0x0 [0145.575] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY") returned 0x3e [0145.575] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.576] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0145.670] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.670] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0145.670] CloseHandle (hObject=0x84) returned 1 [0145.671] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.671] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.671] __uncaught_exception () returned 0x70700 [0145.671] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.671] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sky"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sky.[rmail@rmail.cc].rmaile")) returned 1 [0145.672] ??_V@YAXPAX@Z () returned 0x1 [0145.680] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY", dwFileAttributes=0x0) returned 0 [0145.680] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SKY" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sky")) returned 0 [0145.680] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.680] wcsstr (_Str="nppdf32.SLV", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.680] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV") returned 62 [0145.680] wcscmp (_String1="nppdf32.SLV", _String2="!=How_recovery_files=!.txt") returned 1 [0145.680] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.SLV") returned 0x0 [0145.680] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV") returned 0x3e [0145.680] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.slv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.681] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0145.704] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0145.704] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0145.704] CloseHandle (hObject=0x84) returned 1 [0145.704] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV", _Mode="a", _ShFlag=64) returned 0x76b32960 [0145.704] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0145.704] __uncaught_exception () returned 0x70700 [0145.705] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0145.705] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.slv"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.slv.[rmail@rmail.cc].rmaile")) returned 1 [0145.706] ??_V@YAXPAX@Z () returned 0x1 [0145.712] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV", dwFileAttributes=0x0) returned 0 [0145.712] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SLV" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.slv")) returned 0 [0145.712] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0145.712] wcsstr (_Str="nppdf32.SUO", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0145.712] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO") returned 62 [0145.712] wcscmp (_String1="nppdf32.SUO", _String2="!=How_recovery_files=!.txt") returned 1 [0145.712] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.SUO") returned 0x0 [0145.712] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO") returned 0x3e [0145.712] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0145.713] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0146.030] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.030] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0146.030] CloseHandle (hObject=0x84) returned 1 [0146.030] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO", _Mode="a", _ShFlag=64) returned 0x76b32960 [0146.031] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0146.031] __uncaught_exception () returned 0x70700 [0146.031] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0146.031] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.suo"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.suo.[rmail@rmail.cc].rmaile")) returned 1 [0146.031] ??_V@YAXPAX@Z () returned 0x1 [0146.037] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO", dwFileAttributes=0x0) returned 0 [0146.037] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SUO" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.suo")) returned 0 [0146.038] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0146.038] wcsstr (_Str="nppdf32.SVE", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0146.038] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE") returned 62 [0146.038] wcscmp (_String1="nppdf32.SVE", _String2="!=How_recovery_files=!.txt") returned 1 [0146.038] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.SVE") returned 0x0 [0146.038] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE") returned 0x3e [0146.038] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0146.038] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0146.063] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.063] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0146.063] CloseHandle (hObject=0x84) returned 1 [0146.064] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE", _Mode="a", _ShFlag=64) returned 0x76b32960 [0146.064] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0146.064] __uncaught_exception () returned 0x70700 [0146.064] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0146.064] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sve"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sve.[rmail@rmail.cc].rmaile")) returned 1 [0146.072] ??_V@YAXPAX@Z () returned 0x1 [0146.080] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE", dwFileAttributes=0x0) returned 0 [0146.080] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.SVE" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.sve")) returned 0 [0146.080] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0146.080] wcsstr (_Str="nppdf32.TUR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0146.080] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR") returned 62 [0146.080] wcscmp (_String1="nppdf32.TUR", _String2="!=How_recovery_files=!.txt") returned 1 [0146.080] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.TUR") returned 0x0 [0146.080] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR") returned 0x3e [0146.080] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.tur"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0146.082] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0146.182] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.182] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0146.182] CloseHandle (hObject=0x84) returned 1 [0146.182] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR", _Mode="a", _ShFlag=64) returned 0x76b32960 [0146.182] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0146.182] __uncaught_exception () returned 0x70700 [0146.182] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0146.183] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.tur"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.tur.[rmail@rmail.cc].rmaile")) returned 1 [0146.183] ??_V@YAXPAX@Z () returned 0x1 [0146.191] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR", dwFileAttributes=0x0) returned 0 [0146.191] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.TUR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.tur")) returned 0 [0146.191] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0146.191] wcsstr (_Str="nppdf32.UKR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0146.191] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR") returned 62 [0146.191] wcscmp (_String1="nppdf32.UKR", _String2="!=How_recovery_files=!.txt") returned 1 [0146.191] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="nppdf32.UKR") returned 0x0 [0146.191] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR") returned 0x3e [0146.191] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ukr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x84 [0146.192] ReadFile (in: hFile=0x84, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1adca0*=0x1e00, lpOverlapped=0x0) returned 1 [0146.295] SetFilePointer (in: hFile=0x84, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.296] WriteFile (in: hFile=0x84, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x1adca0, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1adca0*=0x1e10, lpOverlapped=0x0) returned 1 [0146.296] CloseHandle (hObject=0x84) returned 1 [0146.296] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR", _Mode="a", _ShFlag=64) returned 0x76b32960 [0146.296] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0146.296] __uncaught_exception () returned 0x70700 [0146.296] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0146.297] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ukr"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ukr.[rmail@rmail.cc].rmaile")) returned 1 [0146.298] ??_V@YAXPAX@Z () returned 0x1 [0146.305] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR", dwFileAttributes=0x0) returned 0 [0146.305] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\nppdf32.UKR" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\browser\\nppdf32.ukr")) returned 0 [0146.305] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 0 [0146.305] FindClose (in: hFindFile=0x44e428 | out: hFindFile=0x44e428) returned 1 [0146.305] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser") returned 0x32 [0146.305] strlen (_Str="${KEY}") returned 0x6 [0146.305] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0146.305] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0146.305] strlen (_Str="${CODE}") returned 0x7 [0146.305] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0146.305] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0146.305] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0146.305] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Browser\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0146.306] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0146.306] __uncaught_exception () returned 0x70700 [0146.306] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0146.309] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0146.309] wcsstr (_Str="ccme_base.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0146.309] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ccme_base.dll") returned 56 [0146.309] wcscmp (_String1="ccme_base.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0146.309] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ccme_base.dll") returned 0x0 [0146.309] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ccme_base.dll") returned 0x38 [0146.309] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ccme_base.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ccme_base.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0146.309] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0146.518] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.518] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0146.531] CloseHandle (hObject=0x80) returned 1 [0146.531] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ccme_base.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0146.532] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0146.532] __uncaught_exception () returned 0x70700 [0146.532] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0146.532] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ccme_base.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ccme_base.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ccme_base.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ccme_base.dll.[rmail@rmail.cc].rmaile")) returned 1 [0146.533] ??_V@YAXPAX@Z () returned 0x1 [0146.539] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ccme_base.dll", dwFileAttributes=0x0) returned 0 [0146.539] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ccme_base.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\ccme_base.dll")) returned 0 [0146.539] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0146.539] wcsstr (_Str="CoolType.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0146.539] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\CoolType.dll") returned 55 [0146.539] wcscmp (_String1="CoolType.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0146.539] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="CoolType.dll") returned 0x0 [0146.539] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\CoolType.dll") returned 0x37 [0146.539] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\CoolType.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cooltype.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0146.540] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0146.694] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.694] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0146.711] CloseHandle (hObject=0x80) returned 1 [0146.712] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\CoolType.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0146.712] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0146.712] __uncaught_exception () returned 0x70700 [0146.712] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0146.768] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\CoolType.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cooltype.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\CoolType.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cooltype.dll.[rmail@rmail.cc].rmaile")) returned 1 [0146.769] ??_V@YAXPAX@Z () returned 0x1 [0146.777] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\CoolType.dll", dwFileAttributes=0x0) returned 0 [0146.777] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\CoolType.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cooltype.dll")) returned 0 [0146.777] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0146.777] wcsstr (_Str="cryptocme2.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0146.777] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.dll") returned 57 [0146.777] wcscmp (_String1="cryptocme2.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0146.777] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="cryptocme2.dll") returned 0x0 [0146.777] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.dll") returned 0x39 [0146.777] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cryptocme2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0146.778] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0146.974] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0146.974] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0147.015] CloseHandle (hObject=0x80) returned 1 [0147.015] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0147.015] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0147.015] __uncaught_exception () returned 0x70700 [0147.015] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0147.016] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cryptocme2.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cryptocme2.dll.[rmail@rmail.cc].rmaile")) returned 1 [0147.016] ??_V@YAXPAX@Z () returned 0x1 [0147.023] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.dll", dwFileAttributes=0x0) returned 0 [0147.023] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cryptocme2.dll")) returned 0 [0147.023] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0147.023] wcsstr (_Str="cryptocme2.sig", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0147.023] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig") returned 57 [0147.023] wcscmp (_String1="cryptocme2.sig", _String2="!=How_recovery_files=!.txt") returned 1 [0147.023] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="cryptocme2.sig") returned 0x0 [0147.023] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig") returned 0x39 [0147.023] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cryptocme2.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0147.024] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x647, lpOverlapped=0x0) returned 1 [0147.254] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.254] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x650, lpOverlapped=0x0) returned 1 [0147.254] CloseHandle (hObject=0x80) returned 1 [0147.254] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig", _Mode="a", _ShFlag=64) returned 0x76b32960 [0147.254] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0147.254] __uncaught_exception () returned 0x70700 [0147.254] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0147.254] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cryptocme2.sig"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cryptocme2.sig.[rmail@rmail.cc].rmaile")) returned 1 [0147.255] ??_V@YAXPAX@Z () returned 0x1 [0147.262] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig", dwFileAttributes=0x0) returned 0 [0147.263] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\cryptocme2.sig" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\cryptocme2.sig")) returned 0 [0147.263] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0147.263] wcsstr (_Str="Eula.exe", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0147.263] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Eula.exe") returned 51 [0147.263] wcscmp (_String1="Eula.exe", _String2="!=How_recovery_files=!.txt") returned 1 [0147.263] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="Eula.exe") returned 0x0 [0147.263] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Eula.exe") returned 0x33 [0147.263] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Eula.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\eula.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0147.265] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x17190, lpOverlapped=0x0) returned 1 [0147.348] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.348] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x171a0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x171a0, lpOverlapped=0x0) returned 1 [0147.349] CloseHandle (hObject=0x80) returned 1 [0147.349] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Eula.exe", _Mode="a", _ShFlag=64) returned 0x76b32960 [0147.350] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0147.350] __uncaught_exception () returned 0x70700 [0147.350] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0147.350] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Eula.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\eula.exe"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Eula.exe.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\eula.exe.[rmail@rmail.cc].rmaile")) returned 1 [0147.351] ??_V@YAXPAX@Z () returned 0x1 [0147.358] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Eula.exe", dwFileAttributes=0x0) returned 0 [0147.358] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\Eula.exe" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\eula.exe")) returned 0 [0147.358] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0147.358] wcsstr (_Str="ExtendScript.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0147.358] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ExtendScript.dll") returned 59 [0147.358] wcscmp (_String1="ExtendScript.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0147.358] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="ExtendScript.dll") returned 0x0 [0147.358] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ExtendScript.dll") returned 0x3b [0147.358] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ExtendScript.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\extendscript.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0147.359] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xa3ba0, lpOverlapped=0x0) returned 1 [0147.529] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.529] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xa3bb0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xa3bb0, lpOverlapped=0x0) returned 1 [0147.531] CloseHandle (hObject=0x80) returned 1 [0147.531] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ExtendScript.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0147.531] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0147.532] __uncaught_exception () returned 0x70700 [0147.532] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0147.532] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ExtendScript.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\extendscript.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ExtendScript.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\extendscript.dll.[rmail@rmail.cc].rmaile")) returned 1 [0147.532] ??_V@YAXPAX@Z () returned 0x1 [0147.538] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ExtendScript.dll", dwFileAttributes=0x0) returned 0 [0147.538] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\ExtendScript.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\extendscript.dll")) returned 0 [0147.539] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0147.539] wcsstr (_Str="icucnv40.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0147.539] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icucnv40.dll") returned 55 [0147.539] wcscmp (_String1="icucnv40.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0147.539] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="icucnv40.dll") returned 0x0 [0147.539] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icucnv40.dll") returned 0x37 [0147.539] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icucnv40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icucnv40.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0147.539] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0xb03a8, lpOverlapped=0x0) returned 1 [0147.654] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.654] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0xb03b0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0xb03b0, lpOverlapped=0x0) returned 1 [0147.656] CloseHandle (hObject=0x80) returned 1 [0147.656] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icucnv40.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0147.657] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0147.657] __uncaught_exception () returned 0x70700 [0147.657] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0147.657] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icucnv40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icucnv40.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icucnv40.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icucnv40.dll.[rmail@rmail.cc].rmaile")) returned 1 [0147.658] ??_V@YAXPAX@Z () returned 0x1 [0147.664] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icucnv40.dll", dwFileAttributes=0x0) returned 0 [0147.664] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icucnv40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icucnv40.dll")) returned 0 [0147.664] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0147.664] wcsstr (_Str="icudt40.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0147.664] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40.dll") returned 54 [0147.664] wcscmp (_String1="icudt40.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0147.664] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="icudt40.dll") returned 0x0 [0147.664] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40.dll") returned 0x36 [0147.664] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icudt40.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0147.665] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x17790, lpOverlapped=0x0) returned 1 [0147.690] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0147.690] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x177a0, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x177a0, lpOverlapped=0x0) returned 1 [0147.691] CloseHandle (hObject=0x80) returned 1 [0147.691] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0147.691] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0147.691] __uncaught_exception () returned 0x70700 [0147.691] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0147.691] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icudt40.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icudt40.dll.[rmail@rmail.cc].rmaile")) returned 1 [0147.692] ??_V@YAXPAX@Z () returned 0x1 [0147.699] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40.dll", dwFileAttributes=0x0) returned 0 [0147.699] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icudt40.dll")) returned 0 [0147.699] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0147.699] wcsstr (_Str="icudt40_full.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0147.699] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll") returned 59 [0147.699] wcscmp (_String1="icudt40_full.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0147.699] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="icudt40_full.dll") returned 0x0 [0147.699] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll") returned 0x3b [0147.699] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icudt40_full.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0147.924] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0148.122] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.122] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0148.137] CloseHandle (hObject=0x80) returned 1 [0148.137] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0148.137] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0148.137] __uncaught_exception () returned 0x70700 [0148.137] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0148.139] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icudt40_full.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icudt40_full.dll.[rmail@rmail.cc].rmaile")) returned 1 [0148.140] ??_V@YAXPAX@Z () returned 0x1 [0148.146] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll", dwFileAttributes=0x0) returned 0 [0148.146] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icudt40_full.dll")) returned 0 [0148.146] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0148.146] wcsstr (_Str="icuuc40.dll", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.146] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll") returned 54 [0148.146] wcscmp (_String1="icuuc40.dll", _String2="!=How_recovery_files=!.txt") returned 1 [0148.146] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="icuuc40.dll") returned 0x0 [0148.146] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll") returned 0x36 [0148.146] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icuuc40.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x80 [0148.147] ReadFile (in: hFile=0x80, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ae15c*=0x100000, lpOverlapped=0x0) returned 1 [0148.272] SetFilePointer (in: hFile=0x80, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.272] WriteFile (in: hFile=0x80, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x100010, lpNumberOfBytesWritten=0x1ae15c, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ae15c*=0x100010, lpOverlapped=0x0) returned 1 [0148.285] CloseHandle (hObject=0x80) returned 1 [0148.286] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll", _Mode="a", _ShFlag=64) returned 0x76b32960 [0148.286] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0148.286] __uncaught_exception () returned 0x70700 [0148.286] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0148.286] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icuuc40.dll"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icuuc40.dll.[rmail@rmail.cc].rmaile")) returned 1 [0148.287] ??_V@YAXPAX@Z () returned 0x1 [0148.293] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll", dwFileAttributes=0x0) returned 0 [0148.293] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\icuuc40.dll")) returned 0 [0148.293] FindNextFileW (in: hFindFile=0x44e3e8, lpFindFileData=0x1ae1f0 | out: lpFindFileData=0x1ae1f0) returned 1 [0148.293] wcsstr (_Str="IDTemplates", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.293] _snwprintf (in: _Dest=0x1ae470, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates") returned 54 [0148.293] wcscmp (_String1=".", _String2="IDTemplates") returned -1 [0148.293] wcscmp (_String1="..", _String2="IDTemplates") returned -1 [0148.293] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates") returned 0x36 [0148.293] wcscat (in: _Dest=0x1adfb4, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\*" [0148.293] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\*", lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 0x44e428 [0148.505] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.505] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\.") returned 56 [0148.505] wcscmp (_String1=".", _String2=".") returned 0 [0148.505] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0148.505] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.505] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\..") returned 57 [0148.505] wcscmp (_String1=".", _String2="..") returned -1 [0148.505] wcscmp (_String1="..", _String2="..") returned 0 [0148.505] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0148.505] wcsstr (_Str="CAT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.505] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT") returned 58 [0148.505] wcscmp (_String1=".", _String2="CAT") returned -1 [0148.505] wcscmp (_String1="..", _String2="CAT") returned -1 [0148.505] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT") returned 0x3a [0148.505] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\*" [0148.505] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0148.506] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.506] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\.") returned 60 [0148.506] wcscmp (_String1=".", _String2=".") returned 0 [0148.506] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0148.506] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.506] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\..") returned 61 [0148.506] wcscmp (_String1=".", _String2="..") returned -1 [0148.506] wcscmp (_String1="..", _String2="..") returned 0 [0148.506] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0148.506] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.506] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf") returned 70 [0148.506] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0148.506] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0148.506] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf") returned 0x46 [0148.506] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0148.507] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x11ff6, lpOverlapped=0x0) returned 1 [0148.714] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.714] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x12000, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x12000, lpOverlapped=0x0) returned 1 [0148.714] CloseHandle (hObject=0x88) returned 1 [0148.714] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0148.715] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0148.715] __uncaught_exception () returned 0x70700 [0148.715] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0148.715] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0148.715] ??_V@YAXPAX@Z () returned 0x1 [0148.722] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0148.723] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\adobeid.pdf")) returned 0 [0148.723] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0148.723] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.723] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf") returned 72 [0148.723] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0148.723] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0148.723] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf") returned 0x48 [0148.723] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0148.723] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x11581, lpOverlapped=0x0) returned 1 [0148.856] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0148.856] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x11590, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x11590, lpOverlapped=0x0) returned 1 [0148.856] CloseHandle (hObject=0x88) returned 1 [0148.856] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0148.857] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0148.857] __uncaught_exception () returned 0x70700 [0148.857] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0148.857] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0148.857] ??_V@YAXPAX@Z () returned 0x1 [0148.864] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0148.864] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\defaultid.pdf")) returned 0 [0148.864] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0148.864] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0148.864] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT") returned 0x3a [0148.864] strlen (_Str="${KEY}") returned 0x6 [0148.864] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0148.864] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0148.864] strlen (_Str="${CODE}") returned 0x7 [0148.864] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0148.864] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0148.864] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0148.864] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0148.866] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0148.866] __uncaught_exception () returned 0x70700 [0148.866] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0148.867] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0148.867] wcsstr (_Str="CHS", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.867] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS") returned 58 [0148.867] wcscmp (_String1=".", _String2="CHS") returned -1 [0148.867] wcscmp (_String1="..", _String2="CHS") returned -1 [0148.867] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS") returned 0x3a [0148.868] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\*" [0148.868] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0148.868] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.868] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\.") returned 60 [0148.868] wcscmp (_String1=".", _String2=".") returned 0 [0148.868] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0148.868] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.868] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\..") returned 61 [0148.868] wcscmp (_String1=".", _String2="..") returned -1 [0148.868] wcscmp (_String1="..", _String2="..") returned 0 [0148.868] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0148.868] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0148.868] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf") returned 70 [0148.868] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0148.869] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0148.869] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf") returned 0x46 [0148.869] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0148.869] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x20cc1, lpOverlapped=0x0) returned 1 [0149.085] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.085] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x20cd0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x20cd0, lpOverlapped=0x0) returned 1 [0149.086] CloseHandle (hObject=0x88) returned 1 [0149.086] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0149.086] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0149.086] __uncaught_exception () returned 0x70700 [0149.086] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.086] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0149.087] ??_V@YAXPAX@Z () returned 0x1 [0149.094] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0149.095] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\adobeid.pdf")) returned 0 [0149.095] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.095] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.095] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf") returned 72 [0149.095] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0149.095] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0149.095] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf") returned 0x48 [0149.095] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0149.095] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x207b0, lpOverlapped=0x0) returned 1 [0149.141] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.141] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x207c0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x207c0, lpOverlapped=0x0) returned 1 [0149.142] CloseHandle (hObject=0x88) returned 1 [0149.142] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0149.142] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0149.142] __uncaught_exception () returned 0x70700 [0149.142] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.143] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0149.143] ??_V@YAXPAX@Z () returned 0x1 [0149.151] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0149.152] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\chs\\defaultid.pdf")) returned 0 [0149.152] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0149.152] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0149.152] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS") returned 0x3a [0149.152] strlen (_Str="${KEY}") returned 0x6 [0149.152] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0149.152] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0149.152] strlen (_Str="${CODE}") returned 0x7 [0149.152] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0149.152] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0149.152] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0149.152] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHS\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0149.303] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0149.303] __uncaught_exception () returned 0x70700 [0149.303] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.304] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0149.304] wcsstr (_Str="CHT", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.304] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT") returned 58 [0149.304] wcscmp (_String1=".", _String2="CHT") returned -1 [0149.304] wcscmp (_String1="..", _String2="CHT") returned -1 [0149.304] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT") returned 0x3a [0149.304] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\*" [0149.304] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0149.304] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.304] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\.") returned 60 [0149.304] wcscmp (_String1=".", _String2=".") returned 0 [0149.304] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.304] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.304] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\..") returned 61 [0149.305] wcscmp (_String1=".", _String2="..") returned -1 [0149.305] wcscmp (_String1="..", _String2="..") returned 0 [0149.305] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.305] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.305] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf") returned 70 [0149.305] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0149.305] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0149.305] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf") returned 0x46 [0149.305] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0149.305] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x561b, lpOverlapped=0x0) returned 1 [0149.331] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.331] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5620, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x5620, lpOverlapped=0x0) returned 1 [0149.331] CloseHandle (hObject=0x88) returned 1 [0149.334] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0149.334] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0149.335] __uncaught_exception () returned 0x70700 [0149.335] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.335] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0149.349] ??_V@YAXPAX@Z () returned 0x1 [0149.358] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0149.358] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\adobeid.pdf")) returned 0 [0149.359] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.359] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.359] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf") returned 72 [0149.359] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0149.359] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0149.359] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf") returned 0x48 [0149.359] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0149.359] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x510a, lpOverlapped=0x0) returned 1 [0149.502] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.502] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5110, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x5110, lpOverlapped=0x0) returned 1 [0149.502] CloseHandle (hObject=0x88) returned 1 [0149.502] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0149.503] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0149.503] __uncaught_exception () returned 0x70700 [0149.503] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.503] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0149.504] ??_V@YAXPAX@Z () returned 0x1 [0149.514] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0149.514] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cht\\defaultid.pdf")) returned 0 [0149.515] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0149.515] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0149.515] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT") returned 0x3a [0149.515] strlen (_Str="${KEY}") returned 0x6 [0149.515] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0149.515] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0149.515] strlen (_Str="${CODE}") returned 0x7 [0149.515] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0149.515] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0149.515] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0149.515] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CHT\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0149.534] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0149.534] __uncaught_exception () returned 0x70700 [0149.534] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.536] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0149.536] wcsstr (_Str="CZE", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.536] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE") returned 58 [0149.536] wcscmp (_String1=".", _String2="CZE") returned -1 [0149.536] wcscmp (_String1="..", _String2="CZE") returned -1 [0149.536] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE") returned 0x3a [0149.536] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\*" [0149.536] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0149.537] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.537] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\.") returned 60 [0149.537] wcscmp (_String1=".", _String2=".") returned 0 [0149.537] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.537] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.537] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\..") returned 61 [0149.537] wcscmp (_String1=".", _String2="..") returned -1 [0149.537] wcscmp (_String1="..", _String2="..") returned 0 [0149.538] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.538] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.538] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf") returned 70 [0149.538] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0149.538] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0149.538] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf") returned 0x46 [0149.538] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0149.539] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x16057, lpOverlapped=0x0) returned 1 [0149.572] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.572] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x16060, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x16060, lpOverlapped=0x0) returned 1 [0149.572] CloseHandle (hObject=0x88) returned 1 [0149.573] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0149.573] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0149.573] __uncaught_exception () returned 0x70700 [0149.573] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.573] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0149.574] ??_V@YAXPAX@Z () returned 0x1 [0149.581] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0149.581] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\adobeid.pdf")) returned 0 [0149.581] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.581] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.581] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf") returned 72 [0149.581] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0149.581] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0149.581] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf") returned 0x48 [0149.581] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0149.582] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x155af, lpOverlapped=0x0) returned 1 [0149.631] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.631] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x155b0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x155b0, lpOverlapped=0x0) returned 1 [0149.631] CloseHandle (hObject=0x88) returned 1 [0149.631] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0149.632] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0149.632] __uncaught_exception () returned 0x70700 [0149.632] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.632] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0149.632] ??_V@YAXPAX@Z () returned 0x1 [0149.639] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0149.639] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\cze\\defaultid.pdf")) returned 0 [0149.639] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0149.639] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0149.639] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE") returned 0x3a [0149.640] strlen (_Str="${KEY}") returned 0x6 [0149.640] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0149.640] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0149.640] strlen (_Str="${CODE}") returned 0x7 [0149.640] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0149.640] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0149.640] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0149.640] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CZE\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0149.641] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0149.641] __uncaught_exception () returned 0x70700 [0149.641] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.644] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0149.644] wcsstr (_Str="DAN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.644] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN") returned 58 [0149.644] wcscmp (_String1=".", _String2="DAN") returned -1 [0149.644] wcscmp (_String1="..", _String2="DAN") returned -1 [0149.644] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN") returned 0x3a [0149.644] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\*" [0149.644] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0149.645] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.645] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\.") returned 60 [0149.645] wcscmp (_String1=".", _String2=".") returned 0 [0149.645] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.645] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.645] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\..") returned 61 [0149.645] wcscmp (_String1=".", _String2="..") returned -1 [0149.645] wcscmp (_String1="..", _String2="..") returned 0 [0149.645] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.645] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.645] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf") returned 70 [0149.645] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0149.645] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0149.645] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf") returned 0x46 [0149.645] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0149.645] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x106ec, lpOverlapped=0x0) returned 1 [0149.785] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.785] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x106f0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x106f0, lpOverlapped=0x0) returned 1 [0149.788] CloseHandle (hObject=0x88) returned 1 [0149.788] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0149.788] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0149.788] __uncaught_exception () returned 0x70700 [0149.788] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.789] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0149.789] ??_V@YAXPAX@Z () returned 0x1 [0149.798] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0149.798] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\adobeid.pdf")) returned 0 [0149.798] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.798] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.798] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf") returned 72 [0149.798] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0149.798] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0149.798] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf") returned 0x48 [0149.798] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0149.799] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x101ce, lpOverlapped=0x0) returned 1 [0149.893] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0149.893] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x101d0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x101d0, lpOverlapped=0x0) returned 1 [0149.893] CloseHandle (hObject=0x88) returned 1 [0149.893] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0149.893] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0149.894] __uncaught_exception () returned 0x70700 [0149.894] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.894] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0149.894] ??_V@YAXPAX@Z () returned 0x1 [0149.902] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0149.902] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\dan\\defaultid.pdf")) returned 0 [0149.902] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0149.902] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0149.903] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN") returned 0x3a [0149.903] strlen (_Str="${KEY}") returned 0x6 [0149.903] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0149.903] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0149.903] strlen (_Str="${CODE}") returned 0x7 [0149.903] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0149.903] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0149.903] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0149.903] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DAN\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0149.905] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0149.905] __uncaught_exception () returned 0x70700 [0149.905] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0149.906] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0149.907] wcsstr (_Str="DEU", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.907] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU") returned 58 [0149.907] wcscmp (_String1=".", _String2="DEU") returned -1 [0149.907] wcscmp (_String1="..", _String2="DEU") returned -1 [0149.907] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU") returned 0x3a [0149.907] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\*" [0149.907] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0149.908] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.908] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\.") returned 60 [0149.908] wcscmp (_String1=".", _String2=".") returned 0 [0149.908] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.908] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.908] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\..") returned 61 [0149.908] wcscmp (_String1=".", _String2="..") returned -1 [0149.908] wcscmp (_String1="..", _String2="..") returned 0 [0149.908] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0149.908] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0149.908] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf") returned 70 [0149.908] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0149.908] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0149.908] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf") returned 0x46 [0149.908] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0149.909] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x106d4, lpOverlapped=0x0) returned 1 [0150.900] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0150.900] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x106e0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x106e0, lpOverlapped=0x0) returned 1 [0150.900] CloseHandle (hObject=0x88) returned 1 [0150.900] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0150.900] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0150.900] __uncaught_exception () returned 0x70700 [0150.900] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0150.901] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0150.901] ??_V@YAXPAX@Z () returned 0x1 [0150.908] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0150.908] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\adobeid.pdf")) returned 0 [0150.908] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0150.908] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0150.908] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf") returned 72 [0150.908] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0150.908] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0150.908] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf") returned 0x48 [0150.908] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0150.909] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x101bc, lpOverlapped=0x0) returned 1 [0151.035] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.035] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x101c0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x101c0, lpOverlapped=0x0) returned 1 [0151.035] CloseHandle (hObject=0x88) returned 1 [0151.036] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0151.036] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0151.036] __uncaught_exception () returned 0x70700 [0151.036] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.036] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0151.037] ??_V@YAXPAX@Z () returned 0x1 [0151.044] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0151.044] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\deu\\defaultid.pdf")) returned 0 [0151.044] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0151.044] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0151.044] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU") returned 0x3a [0151.044] strlen (_Str="${KEY}") returned 0x6 [0151.044] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0151.044] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0151.044] strlen (_Str="${CODE}") returned 0x7 [0151.044] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0151.045] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.045] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.045] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\DEU\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0151.054] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0151.054] __uncaught_exception () returned 0x70700 [0151.054] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.055] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0151.056] wcsstr (_Str="ENU", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.056] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU") returned 58 [0151.056] wcscmp (_String1=".", _String2="ENU") returned -1 [0151.056] wcscmp (_String1="..", _String2="ENU") returned -1 [0151.056] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU") returned 0x3a [0151.056] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\*" [0151.056] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0151.056] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.056] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\.") returned 60 [0151.056] wcscmp (_String1=".", _String2=".") returned 0 [0151.056] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.056] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.056] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\..") returned 61 [0151.056] wcscmp (_String1=".", _String2="..") returned -1 [0151.056] wcscmp (_String1="..", _String2="..") returned 0 [0151.056] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.056] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.056] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf") returned 70 [0151.056] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0151.056] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0151.056] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf") returned 0x46 [0151.056] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0151.057] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x14096, lpOverlapped=0x0) returned 1 [0151.201] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.201] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x140a0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x140a0, lpOverlapped=0x0) returned 1 [0151.201] CloseHandle (hObject=0x88) returned 1 [0151.201] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0151.201] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0151.201] __uncaught_exception () returned 0x70700 [0151.202] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.202] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0151.203] ??_V@YAXPAX@Z () returned 0x1 [0151.211] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0151.211] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\adobeid.pdf")) returned 0 [0151.211] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.211] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.211] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf") returned 72 [0151.211] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0151.211] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0151.211] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf") returned 0x48 [0151.211] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0151.211] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x13b0b, lpOverlapped=0x0) returned 1 [0151.275] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.275] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x13b10, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x13b10, lpOverlapped=0x0) returned 1 [0151.275] CloseHandle (hObject=0x88) returned 1 [0151.275] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0151.275] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0151.275] __uncaught_exception () returned 0x70700 [0151.275] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.276] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0151.276] ??_V@YAXPAX@Z () returned 0x1 [0151.284] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0151.284] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\enu\\defaultid.pdf")) returned 0 [0151.284] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0151.284] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0151.284] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU") returned 0x3a [0151.284] strlen (_Str="${KEY}") returned 0x6 [0151.284] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0151.284] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0151.284] strlen (_Str="${CODE}") returned 0x7 [0151.285] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0151.285] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.285] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.285] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ENU\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0151.287] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0151.287] __uncaught_exception () returned 0x70700 [0151.287] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.288] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0151.288] wcsstr (_Str="ESP", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.288] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP") returned 58 [0151.288] wcscmp (_String1=".", _String2="ESP") returned -1 [0151.288] wcscmp (_String1="..", _String2="ESP") returned -1 [0151.288] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP") returned 0x3a [0151.288] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\*" [0151.288] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0151.289] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.289] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\.") returned 60 [0151.289] wcscmp (_String1=".", _String2=".") returned 0 [0151.289] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.289] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.290] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\..") returned 61 [0151.290] wcscmp (_String1=".", _String2="..") returned -1 [0151.290] wcscmp (_String1="..", _String2="..") returned 0 [0151.290] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.290] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.290] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf") returned 70 [0151.290] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0151.290] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0151.290] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf") returned 0x46 [0151.290] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0151.290] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x109db, lpOverlapped=0x0) returned 1 [0151.305] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.305] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x109e0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x109e0, lpOverlapped=0x0) returned 1 [0151.305] CloseHandle (hObject=0x88) returned 1 [0151.305] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0151.305] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0151.305] __uncaught_exception () returned 0x70700 [0151.305] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.305] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0151.306] ??_V@YAXPAX@Z () returned 0x1 [0151.314] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0151.314] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\adobeid.pdf")) returned 0 [0151.314] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.314] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.314] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf") returned 72 [0151.314] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0151.314] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0151.314] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf") returned 0x48 [0151.314] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0151.315] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x104bf, lpOverlapped=0x0) returned 1 [0151.616] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.616] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x104c0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x104c0, lpOverlapped=0x0) returned 1 [0151.617] CloseHandle (hObject=0x88) returned 1 [0151.617] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0151.617] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0151.617] __uncaught_exception () returned 0x70700 [0151.617] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.617] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0151.619] ??_V@YAXPAX@Z () returned 0x1 [0151.660] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0151.660] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\esp\\defaultid.pdf")) returned 0 [0151.660] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0151.660] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0151.660] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP") returned 0x3a [0151.660] strlen (_Str="${KEY}") returned 0x6 [0151.660] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0151.660] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0151.660] strlen (_Str="${CODE}") returned 0x7 [0151.660] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0151.660] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.660] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.660] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ESP\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0151.708] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0151.708] __uncaught_exception () returned 0x70700 [0151.708] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.710] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0151.710] wcsstr (_Str="EUQ", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.710] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ") returned 58 [0151.710] wcscmp (_String1=".", _String2="EUQ") returned -1 [0151.710] wcscmp (_String1="..", _String2="EUQ") returned -1 [0151.710] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ") returned 0x3a [0151.710] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ\\*" [0151.710] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0151.710] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.710] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ\\.") returned 60 [0151.710] wcscmp (_String1=".", _String2=".") returned 0 [0151.710] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.710] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.710] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ\\..") returned 61 [0151.710] wcscmp (_String1=".", _String2="..") returned -1 [0151.710] wcscmp (_String1="..", _String2="..") returned 0 [0151.710] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0151.710] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0151.710] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ") returned 0x3a [0151.710] strlen (_Str="${KEY}") returned 0x6 [0151.710] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0151.710] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0151.710] strlen (_Str="${CODE}") returned 0x7 [0151.710] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0151.710] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.711] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.711] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\EUQ\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0151.711] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0151.711] __uncaught_exception () returned 0x70700 [0151.711] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.712] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0151.712] wcsstr (_Str="FRA", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.712] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA") returned 58 [0151.712] wcscmp (_String1=".", _String2="FRA") returned -1 [0151.712] wcscmp (_String1="..", _String2="FRA") returned -1 [0151.712] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA") returned 0x3a [0151.712] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\*" [0151.712] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0151.713] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.713] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\.") returned 60 [0151.713] wcscmp (_String1=".", _String2=".") returned 0 [0151.713] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.713] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.713] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\..") returned 61 [0151.713] wcscmp (_String1=".", _String2="..") returned -1 [0151.713] wcscmp (_String1="..", _String2="..") returned 0 [0151.713] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.713] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.713] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf") returned 70 [0151.713] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0151.713] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0151.713] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf") returned 0x46 [0151.713] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0151.713] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x10ab0, lpOverlapped=0x0) returned 1 [0151.743] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.743] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10ac0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x10ac0, lpOverlapped=0x0) returned 1 [0151.743] CloseHandle (hObject=0x88) returned 1 [0151.744] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0151.744] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0151.744] __uncaught_exception () returned 0x70700 [0151.744] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.744] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0151.745] ??_V@YAXPAX@Z () returned 0x1 [0151.753] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0151.754] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\adobeid.pdf")) returned 0 [0151.754] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.754] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.754] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf") returned 72 [0151.754] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0151.754] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0151.754] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf") returned 0x48 [0151.754] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0151.754] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x10596, lpOverlapped=0x0) returned 1 [0151.822] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0151.822] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x105a0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x105a0, lpOverlapped=0x0) returned 1 [0151.823] CloseHandle (hObject=0x88) returned 1 [0151.823] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0151.823] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0151.823] __uncaught_exception () returned 0x70700 [0151.823] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.823] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0151.824] ??_V@YAXPAX@Z () returned 0x1 [0151.830] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0151.830] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\fra\\defaultid.pdf")) returned 0 [0151.830] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0151.830] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0151.830] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA") returned 0x3a [0151.830] strlen (_Str="${KEY}") returned 0x6 [0151.830] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0151.830] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0151.830] strlen (_Str="${CODE}") returned 0x7 [0151.830] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0151.830] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.830] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0151.830] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\FRA\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0151.877] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0151.877] __uncaught_exception () returned 0x70700 [0151.877] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0151.879] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0151.879] wcsstr (_Str="HRV", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.879] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV") returned 58 [0151.879] wcscmp (_String1=".", _String2="HRV") returned -1 [0151.879] wcscmp (_String1="..", _String2="HRV") returned -1 [0151.879] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV") returned 0x3a [0151.879] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\*" [0151.879] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0151.879] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.879] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\.") returned 60 [0151.879] wcscmp (_String1=".", _String2=".") returned 0 [0151.879] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.879] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.879] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\..") returned 61 [0151.879] wcscmp (_String1=".", _String2="..") returned -1 [0151.879] wcscmp (_String1="..", _String2="..") returned 0 [0151.879] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0151.880] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0151.880] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf") returned 70 [0151.880] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0151.880] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0151.880] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf") returned 0x46 [0151.880] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0151.880] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x43b5, lpOverlapped=0x0) returned 1 [0152.010] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.010] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x43c0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x43c0, lpOverlapped=0x0) returned 1 [0152.010] CloseHandle (hObject=0x88) returned 1 [0152.010] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0152.010] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0152.011] __uncaught_exception () returned 0x70700 [0152.011] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0152.011] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0152.011] ??_V@YAXPAX@Z () returned 0x1 [0152.018] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0152.018] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\adobeid.pdf")) returned 0 [0152.018] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0152.018] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.018] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf") returned 72 [0152.018] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0152.018] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0152.018] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf") returned 0x48 [0152.018] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0152.019] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x3e95, lpOverlapped=0x0) returned 1 [0152.036] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.036] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x3ea0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x3ea0, lpOverlapped=0x0) returned 1 [0152.036] CloseHandle (hObject=0x88) returned 1 [0152.036] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0152.036] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0152.036] __uncaught_exception () returned 0x70700 [0152.036] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0152.037] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0152.037] ??_V@YAXPAX@Z () returned 0x1 [0152.043] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0152.043] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hrv\\defaultid.pdf")) returned 0 [0152.044] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0152.044] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0152.044] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV") returned 0x3a [0152.044] strlen (_Str="${KEY}") returned 0x6 [0152.044] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0152.044] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0152.044] strlen (_Str="${CODE}") returned 0x7 [0152.044] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0152.044] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0152.044] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0152.044] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HRV\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0152.057] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0152.057] __uncaught_exception () returned 0x70700 [0152.057] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0152.058] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0152.058] wcsstr (_Str="HUN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.058] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN") returned 58 [0152.058] wcscmp (_String1=".", _String2="HUN") returned -1 [0152.058] wcscmp (_String1="..", _String2="HUN") returned -1 [0152.058] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN") returned 0x3a [0152.058] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\*" [0152.058] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0152.059] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.059] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\.") returned 60 [0152.059] wcscmp (_String1=".", _String2=".") returned 0 [0152.059] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0152.059] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.059] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\..") returned 61 [0152.059] wcscmp (_String1=".", _String2="..") returned -1 [0152.059] wcscmp (_String1="..", _String2="..") returned 0 [0152.059] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0152.059] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.059] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf") returned 70 [0152.059] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0152.059] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0152.059] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf") returned 0x46 [0152.059] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0152.060] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x16097, lpOverlapped=0x0) returned 1 [0152.090] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.090] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x160a0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x160a0, lpOverlapped=0x0) returned 1 [0152.090] CloseHandle (hObject=0x88) returned 1 [0152.090] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0152.090] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0152.090] __uncaught_exception () returned 0x70700 [0152.091] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0152.091] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0152.091] ??_V@YAXPAX@Z () returned 0x1 [0152.098] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0152.098] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\adobeid.pdf")) returned 0 [0152.098] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0152.098] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.098] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf") returned 72 [0152.098] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0152.098] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0152.098] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf") returned 0x48 [0152.098] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0152.098] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x15db2, lpOverlapped=0x0) returned 1 [0152.183] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.184] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x15dc0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x15dc0, lpOverlapped=0x0) returned 1 [0152.184] CloseHandle (hObject=0x88) returned 1 [0152.184] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0152.184] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0152.184] __uncaught_exception () returned 0x70700 [0152.184] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0152.185] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0152.185] ??_V@YAXPAX@Z () returned 0x1 [0152.192] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0152.192] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\hun\\defaultid.pdf")) returned 0 [0152.192] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0152.192] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0152.192] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN") returned 0x3a [0152.192] strlen (_Str="${KEY}") returned 0x6 [0152.192] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0152.192] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0152.192] strlen (_Str="${CODE}") returned 0x7 [0152.192] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0152.192] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0152.192] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0152.192] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\HUN\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0152.236] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0152.236] __uncaught_exception () returned 0x70700 [0152.236] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0152.237] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0152.237] wcsstr (_Str="ITA", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.237] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA") returned 58 [0152.237] wcscmp (_String1=".", _String2="ITA") returned -1 [0152.237] wcscmp (_String1="..", _String2="ITA") returned -1 [0152.238] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA") returned 0x3a [0152.240] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\*" [0152.240] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0152.240] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.240] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\.") returned 60 [0152.240] wcscmp (_String1=".", _String2=".") returned 0 [0152.240] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0152.240] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.240] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\..") returned 61 [0152.241] wcscmp (_String1=".", _String2="..") returned -1 [0152.241] wcscmp (_String1="..", _String2="..") returned 0 [0152.241] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0152.241] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.241] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf") returned 70 [0152.241] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0152.241] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0152.241] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf") returned 0x46 [0152.241] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0152.242] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x10913, lpOverlapped=0x0) returned 1 [0152.466] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.466] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10920, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x10920, lpOverlapped=0x0) returned 1 [0152.467] CloseHandle (hObject=0x88) returned 1 [0152.467] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0152.467] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0152.467] __uncaught_exception () returned 0x70700 [0152.467] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0152.468] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0152.468] ??_V@YAXPAX@Z () returned 0x1 [0152.476] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0152.476] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\adobeid.pdf")) returned 0 [0152.476] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0152.477] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0152.477] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf") returned 72 [0152.477] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0152.477] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0152.477] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf") returned 0x48 [0152.477] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0152.477] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x103f8, lpOverlapped=0x0) returned 1 [0152.726] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.726] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10400, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x10400, lpOverlapped=0x0) returned 1 [0152.727] CloseHandle (hObject=0x88) returned 1 [0152.727] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0152.727] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0152.727] __uncaught_exception () returned 0x70700 [0152.727] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0152.727] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0152.728] ??_V@YAXPAX@Z () returned 0x1 [0152.735] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0152.736] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ita\\defaultid.pdf")) returned 0 [0152.736] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0152.736] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0152.736] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA") returned 0x3a [0152.736] strlen (_Str="${KEY}") returned 0x6 [0152.736] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0152.736] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0152.736] strlen (_Str="${CODE}") returned 0x7 [0152.736] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0152.736] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0152.736] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0152.736] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\ITA\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0153.042] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0153.042] __uncaught_exception () returned 0x70700 [0153.042] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.048] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0153.048] wcsstr (_Str="JPN", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.048] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN") returned 58 [0153.048] wcscmp (_String1=".", _String2="JPN") returned -1 [0153.048] wcscmp (_String1="..", _String2="JPN") returned -1 [0153.048] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN") returned 0x3a [0153.048] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\*" [0153.048] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0153.048] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.048] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\.") returned 60 [0153.048] wcscmp (_String1=".", _String2=".") returned 0 [0153.048] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.048] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.049] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\..") returned 61 [0153.049] wcscmp (_String1=".", _String2="..") returned -1 [0153.049] wcscmp (_String1="..", _String2="..") returned 0 [0153.049] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.049] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.049] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf") returned 70 [0153.049] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0153.049] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0153.049] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf") returned 0x46 [0153.049] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0153.049] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x5944, lpOverlapped=0x0) returned 1 [0153.134] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.134] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5950, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x5950, lpOverlapped=0x0) returned 1 [0153.134] CloseHandle (hObject=0x88) returned 1 [0153.135] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0153.135] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0153.135] __uncaught_exception () returned 0x70700 [0153.135] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.135] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0153.135] ??_V@YAXPAX@Z () returned 0x1 [0153.142] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0153.142] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\adobeid.pdf")) returned 0 [0153.142] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.142] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.142] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf") returned 72 [0153.142] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0153.142] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0153.142] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf") returned 0x48 [0153.142] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0153.143] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x5404, lpOverlapped=0x0) returned 1 [0153.259] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.259] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5410, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x5410, lpOverlapped=0x0) returned 1 [0153.260] CloseHandle (hObject=0x88) returned 1 [0153.260] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0153.260] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0153.260] __uncaught_exception () returned 0x70700 [0153.260] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.261] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0153.261] ??_V@YAXPAX@Z () returned 0x1 [0153.270] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0153.270] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\jpn\\defaultid.pdf")) returned 0 [0153.270] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0153.271] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0153.271] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN") returned 0x3a [0153.271] strlen (_Str="${KEY}") returned 0x6 [0153.271] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0153.271] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0153.271] strlen (_Str="${CODE}") returned 0x7 [0153.271] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0153.271] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0153.271] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0153.271] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\JPN\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0153.322] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0153.322] __uncaught_exception () returned 0x70700 [0153.322] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.323] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0153.323] wcsstr (_Str="KOR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.323] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR") returned 58 [0153.323] wcscmp (_String1=".", _String2="KOR") returned -1 [0153.323] wcscmp (_String1="..", _String2="KOR") returned -1 [0153.323] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR") returned 0x3a [0153.323] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\*" [0153.323] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0153.324] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.324] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\.") returned 60 [0153.324] wcscmp (_String1=".", _String2=".") returned 0 [0153.324] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.324] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.324] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\..") returned 61 [0153.324] wcscmp (_String1=".", _String2="..") returned -1 [0153.324] wcscmp (_String1="..", _String2="..") returned 0 [0153.324] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.324] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.324] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf") returned 70 [0153.324] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0153.324] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0153.324] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf") returned 0x46 [0153.324] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0153.325] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x592a, lpOverlapped=0x0) returned 1 [0153.346] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.346] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5930, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x5930, lpOverlapped=0x0) returned 1 [0153.346] CloseHandle (hObject=0x88) returned 1 [0153.347] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0153.347] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0153.347] __uncaught_exception () returned 0x70700 [0153.347] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.347] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0153.348] ??_V@YAXPAX@Z () returned 0x1 [0153.357] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0153.357] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\adobeid.pdf")) returned 0 [0153.357] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.357] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.357] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf") returned 72 [0153.357] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0153.357] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0153.357] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf") returned 0x48 [0153.357] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0153.358] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x5416, lpOverlapped=0x0) returned 1 [0153.378] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.378] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5420, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x5420, lpOverlapped=0x0) returned 1 [0153.378] CloseHandle (hObject=0x88) returned 1 [0153.378] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0153.378] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0153.378] __uncaught_exception () returned 0x70700 [0153.378] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.379] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0153.379] ??_V@YAXPAX@Z () returned 0x1 [0153.388] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0153.388] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\kor\\defaultid.pdf")) returned 0 [0153.388] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0153.388] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0153.388] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR") returned 0x3a [0153.389] strlen (_Str="${KEY}") returned 0x6 [0153.389] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0153.389] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0153.389] strlen (_Str="${CODE}") returned 0x7 [0153.389] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0153.389] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0153.389] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0153.389] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\KOR\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0153.400] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0153.400] __uncaught_exception () returned 0x70700 [0153.400] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.401] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0153.401] wcsstr (_Str="NLD", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.401] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD") returned 58 [0153.401] wcscmp (_String1=".", _String2="NLD") returned -1 [0153.401] wcscmp (_String1="..", _String2="NLD") returned -1 [0153.401] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD") returned 0x3a [0153.402] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\*" [0153.402] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0153.403] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.403] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\.") returned 60 [0153.403] wcscmp (_String1=".", _String2=".") returned 0 [0153.403] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.403] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.403] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\..") returned 61 [0153.403] wcscmp (_String1=".", _String2="..") returned -1 [0153.404] wcscmp (_String1="..", _String2="..") returned 0 [0153.404] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.404] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.404] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf") returned 70 [0153.404] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0153.404] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0153.404] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf") returned 0x46 [0153.404] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0153.404] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x10929, lpOverlapped=0x0) returned 1 [0153.492] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.492] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10930, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x10930, lpOverlapped=0x0) returned 1 [0153.492] CloseHandle (hObject=0x88) returned 1 [0153.492] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0153.492] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0153.493] __uncaught_exception () returned 0x70700 [0153.493] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.493] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0153.493] ??_V@YAXPAX@Z () returned 0x1 [0153.558] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0153.558] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\adobeid.pdf")) returned 0 [0153.558] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.558] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.558] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf") returned 72 [0153.558] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0153.558] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0153.558] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf") returned 0x48 [0153.558] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0153.558] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x10405, lpOverlapped=0x0) returned 1 [0153.599] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0153.599] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10410, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x10410, lpOverlapped=0x0) returned 1 [0153.599] CloseHandle (hObject=0x88) returned 1 [0153.600] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0153.600] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0153.600] __uncaught_exception () returned 0x70700 [0153.600] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.600] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0153.601] ??_V@YAXPAX@Z () returned 0x1 [0153.609] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0153.609] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nld\\defaultid.pdf")) returned 0 [0153.609] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0153.609] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0153.609] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD") returned 0x3a [0153.609] strlen (_Str="${KEY}") returned 0x6 [0153.609] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0153.610] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0153.610] strlen (_Str="${CODE}") returned 0x7 [0153.610] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0153.610] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0153.610] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0153.610] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NLD\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0153.923] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0153.924] __uncaught_exception () returned 0x70700 [0153.924] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0153.925] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0153.925] wcsstr (_Str="NOR", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.925] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR") returned 58 [0153.926] wcscmp (_String1=".", _String2="NOR") returned -1 [0153.926] wcscmp (_String1="..", _String2="NOR") returned -1 [0153.926] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR") returned 0x3a [0153.926] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\*" [0153.926] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0153.926] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.926] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\.") returned 60 [0153.926] wcscmp (_String1=".", _String2=".") returned 0 [0153.926] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.926] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.926] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\..") returned 61 [0153.926] wcscmp (_String1=".", _String2="..") returned -1 [0153.926] wcscmp (_String1="..", _String2="..") returned 0 [0153.926] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0153.927] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0153.927] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf") returned 70 [0153.927] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0153.927] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0153.927] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf") returned 0x46 [0153.927] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0153.929] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x10956, lpOverlapped=0x0) returned 1 [0154.079] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.079] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10960, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x10960, lpOverlapped=0x0) returned 1 [0154.080] CloseHandle (hObject=0x88) returned 1 [0154.080] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0154.080] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0154.080] __uncaught_exception () returned 0x70700 [0154.080] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.081] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0154.081] ??_V@YAXPAX@Z () returned 0x1 [0154.089] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0154.089] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\adobeid.pdf")) returned 0 [0154.089] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.089] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.089] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf") returned 72 [0154.090] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0154.090] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0154.090] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf") returned 0x48 [0154.090] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0154.090] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x1043a, lpOverlapped=0x0) returned 1 [0154.126] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.126] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10440, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x10440, lpOverlapped=0x0) returned 1 [0154.126] CloseHandle (hObject=0x88) returned 1 [0154.126] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0154.127] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0154.127] __uncaught_exception () returned 0x70700 [0154.127] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.127] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0154.130] ??_V@YAXPAX@Z () returned 0x1 [0154.139] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0154.139] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\nor\\defaultid.pdf")) returned 0 [0154.139] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0154.139] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0154.139] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR") returned 0x3a [0154.140] strlen (_Str="${KEY}") returned 0x6 [0154.140] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0154.140] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0154.140] strlen (_Str="${CODE}") returned 0x7 [0154.140] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0154.140] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0154.140] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0154.140] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\NOR\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0154.203] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0154.203] __uncaught_exception () returned 0x70700 [0154.203] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.206] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0154.206] wcsstr (_Str="POL", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.206] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL") returned 58 [0154.206] wcscmp (_String1=".", _String2="POL") returned -1 [0154.206] wcscmp (_String1="..", _String2="POL") returned -1 [0154.206] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL") returned 0x3a [0154.206] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\*" [0154.206] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0154.207] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.207] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\.") returned 60 [0154.208] wcscmp (_String1=".", _String2=".") returned 0 [0154.208] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.208] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.208] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\..") returned 61 [0154.208] wcscmp (_String1=".", _String2="..") returned -1 [0154.208] wcscmp (_String1="..", _String2="..") returned 0 [0154.208] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.208] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.208] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf") returned 70 [0154.208] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0154.208] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0154.208] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf") returned 0x46 [0154.208] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0154.209] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x26ca2, lpOverlapped=0x0) returned 1 [0154.318] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.318] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x26cb0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x26cb0, lpOverlapped=0x0) returned 1 [0154.319] CloseHandle (hObject=0x88) returned 1 [0154.319] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0154.320] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0154.320] __uncaught_exception () returned 0x70700 [0154.320] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.320] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0154.321] ??_V@YAXPAX@Z () returned 0x1 [0154.331] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0154.331] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\adobeid.pdf")) returned 0 [0154.331] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.331] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.331] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf") returned 72 [0154.331] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0154.332] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0154.332] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf") returned 0x48 [0154.332] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0154.332] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x25d4a, lpOverlapped=0x0) returned 1 [0154.390] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.390] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x25d50, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x25d50, lpOverlapped=0x0) returned 1 [0154.391] CloseHandle (hObject=0x88) returned 1 [0154.391] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0154.391] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0154.391] __uncaught_exception () returned 0x70700 [0154.391] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.392] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0154.392] ??_V@YAXPAX@Z () returned 0x1 [0154.402] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0154.402] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\pol\\defaultid.pdf")) returned 0 [0154.403] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0154.403] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0154.403] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL") returned 0x3a [0154.403] strlen (_Str="${KEY}") returned 0x6 [0154.403] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0154.403] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0154.403] strlen (_Str="${CODE}") returned 0x7 [0154.403] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0154.403] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0154.403] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0154.403] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\POL\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0154.487] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0154.487] __uncaught_exception () returned 0x70700 [0154.487] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.489] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0154.489] wcsstr (_Str="PTB", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.489] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB") returned 58 [0154.489] wcscmp (_String1=".", _String2="PTB") returned -1 [0154.489] wcscmp (_String1="..", _String2="PTB") returned -1 [0154.489] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB") returned 0x3a [0154.489] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\*" [0154.489] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0154.490] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.490] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\.") returned 60 [0154.490] wcscmp (_String1=".", _String2=".") returned 0 [0154.490] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.490] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.490] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\..") returned 61 [0154.490] wcscmp (_String1=".", _String2="..") returned -1 [0154.490] wcscmp (_String1="..", _String2="..") returned 0 [0154.490] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.490] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.490] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf") returned 70 [0154.490] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0154.490] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0154.490] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf") returned 0x46 [0154.490] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0154.491] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x11426, lpOverlapped=0x0) returned 1 [0154.598] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.598] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x11430, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x11430, lpOverlapped=0x0) returned 1 [0154.599] CloseHandle (hObject=0x88) returned 1 [0154.599] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0154.600] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0154.600] __uncaught_exception () returned 0x70700 [0154.600] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.600] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0154.605] ??_V@YAXPAX@Z () returned 0x1 [0154.617] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0154.617] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\adobeid.pdf")) returned 0 [0154.617] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.617] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.617] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf") returned 72 [0154.617] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0154.617] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0154.618] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf") returned 0x48 [0154.618] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0154.619] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x10f09, lpOverlapped=0x0) returned 1 [0154.716] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.716] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x10f10, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x10f10, lpOverlapped=0x0) returned 1 [0154.716] CloseHandle (hObject=0x88) returned 1 [0154.717] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0154.717] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0154.717] __uncaught_exception () returned 0x70700 [0154.717] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.718] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0154.718] ??_V@YAXPAX@Z () returned 0x1 [0154.778] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0154.778] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\ptb\\defaultid.pdf")) returned 0 [0154.778] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0154.779] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0154.779] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB") returned 0x3a [0154.779] strlen (_Str="${KEY}") returned 0x6 [0154.779] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0154.779] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0154.779] strlen (_Str="${CODE}") returned 0x7 [0154.779] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0154.779] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0154.779] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0154.779] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\PTB\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0154.783] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0154.783] __uncaught_exception () returned 0x70700 [0154.783] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.785] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0154.785] wcsstr (_Str="RUM", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.785] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM") returned 58 [0154.785] wcscmp (_String1=".", _String2="RUM") returned -1 [0154.785] wcscmp (_String1="..", _String2="RUM") returned -1 [0154.785] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM") returned 0x3a [0154.786] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\*" [0154.786] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0154.787] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.787] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\.") returned 60 [0154.787] wcscmp (_String1=".", _String2=".") returned 0 [0154.787] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.787] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.787] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\..") returned 61 [0154.787] wcscmp (_String1=".", _String2="..") returned -1 [0154.787] wcscmp (_String1="..", _String2="..") returned 0 [0154.787] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.787] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.787] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf") returned 70 [0154.787] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0154.787] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0154.788] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf") returned 0x46 [0154.788] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0154.788] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x5891, lpOverlapped=0x0) returned 1 [0154.840] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.840] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x58a0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x58a0, lpOverlapped=0x0) returned 1 [0154.840] CloseHandle (hObject=0x88) returned 1 [0154.841] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0154.841] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0154.841] __uncaught_exception () returned 0x70700 [0154.841] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.842] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0154.843] ??_V@YAXPAX@Z () returned 0x1 [0154.855] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0154.855] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\adobeid.pdf")) returned 0 [0154.855] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.855] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.855] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf") returned 72 [0154.855] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0154.855] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0154.855] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf") returned 0x48 [0154.855] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0154.856] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x5be8, lpOverlapped=0x0) returned 1 [0154.935] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0154.935] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5bf0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x5bf0, lpOverlapped=0x0) returned 1 [0154.935] CloseHandle (hObject=0x88) returned 1 [0154.935] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0154.936] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0154.936] __uncaught_exception () returned 0x70700 [0154.936] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.936] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0154.937] ??_V@YAXPAX@Z () returned 0x1 [0154.949] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0154.949] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rum\\defaultid.pdf")) returned 0 [0154.950] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0154.950] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0154.950] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM") returned 0x3a [0154.950] strlen (_Str="${KEY}") returned 0x6 [0154.950] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0154.950] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0154.950] strlen (_Str="${CODE}") returned 0x7 [0154.950] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0154.950] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0154.950] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0154.951] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUM\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0154.983] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0154.983] __uncaught_exception () returned 0x70700 [0154.983] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0154.985] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0154.985] wcsstr (_Str="RUS", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.985] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS") returned 58 [0154.985] wcscmp (_String1=".", _String2="RUS") returned -1 [0154.986] wcscmp (_String1="..", _String2="RUS") returned -1 [0154.986] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS") returned 0x3a [0154.986] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\*" [0154.986] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0154.986] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.986] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\.") returned 60 [0154.986] wcscmp (_String1=".", _String2=".") returned 0 [0154.986] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.987] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.987] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\..") returned 61 [0154.987] wcscmp (_String1=".", _String2="..") returned -1 [0154.987] wcscmp (_String1="..", _String2="..") returned 0 [0154.987] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0154.987] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0154.987] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf") returned 70 [0154.987] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0154.987] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0154.987] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf") returned 0x46 [0154.987] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0154.988] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x1e071, lpOverlapped=0x0) returned 1 [0155.149] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.150] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1e080, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x1e080, lpOverlapped=0x0) returned 1 [0155.151] CloseHandle (hObject=0x88) returned 1 [0155.151] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0155.151] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0155.151] __uncaught_exception () returned 0x70700 [0155.151] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0155.152] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0155.153] ??_V@YAXPAX@Z () returned 0x1 [0155.161] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0155.161] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\adobeid.pdf")) returned 0 [0155.161] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0155.161] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.161] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf") returned 72 [0155.161] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0155.161] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0155.161] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf") returned 0x48 [0155.161] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0155.162] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x1d17f, lpOverlapped=0x0) returned 1 [0155.502] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.502] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x1d180, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x1d180, lpOverlapped=0x0) returned 1 [0155.503] CloseHandle (hObject=0x88) returned 1 [0155.503] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0155.504] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0155.504] __uncaught_exception () returned 0x70700 [0155.504] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0155.504] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0155.505] ??_V@YAXPAX@Z () returned 0x1 [0155.536] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0155.536] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\rus\\defaultid.pdf")) returned 0 [0155.536] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0155.537] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0155.537] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS") returned 0x3a [0155.537] strlen (_Str="${KEY}") returned 0x6 [0155.537] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0155.537] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0155.537] strlen (_Str="${CODE}") returned 0x7 [0155.537] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0155.537] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0155.537] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0155.537] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\RUS\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0155.620] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0155.620] __uncaught_exception () returned 0x70700 [0155.620] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0155.627] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0155.627] wcsstr (_Str="SKY", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.627] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY") returned 58 [0155.627] wcscmp (_String1=".", _String2="SKY") returned -1 [0155.627] wcscmp (_String1="..", _String2="SKY") returned -1 [0155.627] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY") returned 0x3a [0155.627] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\*" [0155.627] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0155.629] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.629] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\.") returned 60 [0155.629] wcscmp (_String1=".", _String2=".") returned 0 [0155.629] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0155.629] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.629] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\..") returned 61 [0155.629] wcscmp (_String1=".", _String2="..") returned -1 [0155.629] wcscmp (_String1="..", _String2="..") returned 0 [0155.629] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0155.629] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.629] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf") returned 70 [0155.629] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0155.629] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0155.629] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf") returned 0x46 [0155.629] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0155.630] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x161fc, lpOverlapped=0x0) returned 1 [0155.658] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.658] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x16200, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x16200, lpOverlapped=0x0) returned 1 [0155.659] CloseHandle (hObject=0x88) returned 1 [0155.659] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0155.659] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0155.659] __uncaught_exception () returned 0x70700 [0155.659] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0155.660] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0155.660] ??_V@YAXPAX@Z () returned 0x1 [0155.671] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0155.671] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\adobeid.pdf")) returned 0 [0155.671] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0155.671] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.671] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf") returned 72 [0155.671] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0155.671] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0155.671] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf") returned 0x48 [0155.671] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0155.672] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x13d46, lpOverlapped=0x0) returned 1 [0155.784] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.784] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x13d50, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x13d50, lpOverlapped=0x0) returned 1 [0155.785] CloseHandle (hObject=0x88) returned 1 [0155.785] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0155.785] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0155.785] __uncaught_exception () returned 0x70700 [0155.785] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0155.785] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0155.787] ??_V@YAXPAX@Z () returned 0x1 [0155.875] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0155.875] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\sky\\defaultid.pdf")) returned 0 [0155.875] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0155.875] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0155.875] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY") returned 0x3a [0155.875] strlen (_Str="${KEY}") returned 0x6 [0155.875] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0155.875] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0155.875] strlen (_Str="${CODE}") returned 0x7 [0155.875] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0155.875] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0155.875] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0155.875] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SKY\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0155.910] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0155.910] __uncaught_exception () returned 0x70700 [0155.910] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0155.920] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0155.920] wcsstr (_Str="SLV", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.920] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV") returned 58 [0155.931] wcscmp (_String1=".", _String2="SLV") returned -1 [0155.931] wcscmp (_String1="..", _String2="SLV") returned -1 [0155.931] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV") returned 0x3a [0155.931] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\*" [0155.931] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0155.932] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.932] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\.") returned 60 [0155.932] wcscmp (_String1=".", _String2=".") returned 0 [0155.932] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0155.932] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.932] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\..") returned 61 [0155.932] wcscmp (_String1=".", _String2="..") returned -1 [0155.932] wcscmp (_String1="..", _String2="..") returned 0 [0155.932] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0155.932] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.932] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf") returned 70 [0155.932] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0155.932] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0155.932] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf") returned 0x46 [0155.932] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0155.933] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x6133, lpOverlapped=0x0) returned 1 [0155.946] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0155.946] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x6140, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x6140, lpOverlapped=0x0) returned 1 [0155.947] CloseHandle (hObject=0x88) returned 1 [0155.947] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0155.947] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0155.947] __uncaught_exception () returned 0x70700 [0155.947] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0155.947] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\adobeid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\adobeid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0155.948] ??_V@YAXPAX@Z () returned 0x1 [0155.956] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf", dwFileAttributes=0x0) returned 0 [0155.956] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\adobeid.pdf")) returned 0 [0155.956] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0155.956] wcsstr (_Str="DefaultID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0155.956] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf") returned 72 [0155.956] wcscmp (_String1="DefaultID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0155.956] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="DefaultID.pdf") returned 0x0 [0155.956] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf") returned 0x48 [0155.956] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0155.957] ReadFile (in: hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesRead=0x1ad7e4*=0x5aac, lpOverlapped=0x0) returned 1 [0156.379] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0156.379] WriteFile (in: hFile=0x88, lpBuffer=0x1130020*, nNumberOfBytesToWrite=0x5ab0, lpNumberOfBytesWritten=0x1ad7e4, lpOverlapped=0x0 | out: lpBuffer=0x1130020*, lpNumberOfBytesWritten=0x1ad7e4*=0x5ab0, lpOverlapped=0x0) returned 1 [0156.379] CloseHandle (hObject=0x88) returned 1 [0156.380] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf", _Mode="a", _ShFlag=64) returned 0x76b32960 [0156.380] fputc (in: _Ch=56, _File=0x76b32960 | out: _File=0x76b32960) returned 56 [0156.380] __uncaught_exception () returned 0x70700 [0156.380] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0156.380] MoveFileW (lpExistingFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\defaultid.pdf"), lpNewFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf.[rmail@rmail.cc].rmaile" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\defaultid.pdf.[rmail@rmail.cc].rmaile")) returned 1 [0156.381] ??_V@YAXPAX@Z () returned 0x1 [0156.389] SetFileAttributesW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf", dwFileAttributes=0x0) returned 0 [0156.389] DeleteFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\DefaultID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\slv\\defaultid.pdf")) returned 0 [0156.389] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0 [0156.389] FindClose (in: hFindFile=0x44e468 | out: hFindFile=0x44e468) returned 1 [0156.389] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV") returned 0x3a [0156.389] strlen (_Str="${KEY}") returned 0x6 [0156.389] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x11) returned 0x7d10d [0156.389] memchr (_Buf=0x7d10e, _Val=36, _MaxCount=0x3) returned 0x0 [0156.389] strlen (_Str="${CODE}") returned 0x7 [0156.389] memchr (_Buf=0x7d100, _Val=36, _MaxCount=0x10) returned 0x7d10d [0156.390] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0156.390] wcslen (_String="\\!=How_recovery_files=!.txt") returned 0x1b [0156.390] _wfsopen (_FileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SLV\\!=How_recovery_files=!.txt", _Mode="w", _ShFlag=64) returned 0x76b32960 [0156.719] fputc (in: _Ch=72, _File=0x76b32960 | out: _File=0x76b32960) returned 72 [0156.719] __uncaught_exception () returned 0x70700 [0156.719] fclose (in: _File=0x76b32960 | out: _File=0x76b32960) returned 0 [0156.721] FindNextFileW (in: hFindFile=0x44e428, lpFindFileData=0x1add34 | out: lpFindFileData=0x1add34) returned 1 [0156.721] wcsstr (_Str="SUO", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0156.721] _snwprintf (in: _Dest=0x1adfb4, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO") returned 58 [0156.721] wcscmp (_String1=".", _String2="SUO") returned -1 [0156.721] wcscmp (_String1="..", _String2="SUO") returned -1 [0156.721] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO") returned 0x3a [0156.721] wcscat (in: _Dest=0x1adaf8, _Source="\\*" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\*") returned="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\*" [0156.721] FindFirstFileW (in: lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\*", lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 0x44e468 [0156.721] wcsstr (_Str=".", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0156.721] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\.") returned 60 [0156.721] wcscmp (_String1=".", _String2=".") returned 0 [0156.721] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0156.721] wcsstr (_Str="..", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0156.721] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\..") returned 61 [0156.721] wcscmp (_String1=".", _String2="..") returned -1 [0156.722] wcscmp (_String1="..", _String2="..") returned 0 [0156.722] FindNextFileW (in: hFindFile=0x44e468, lpFindFileData=0x1ad878 | out: lpFindFileData=0x1ad878) returned 1 [0156.722] wcsstr (_Str="AdobeID.pdf", _SubStr=".[rmail@rmail.cc].rmaile") returned 0x0 [0156.722] _snwprintf (in: _Dest=0x1adaf8, _Count=0x104, _Format="%s\\%s" | out: _Dest="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\AdobeID.pdf") returned 70 [0156.722] wcscmp (_String1="AdobeID.pdf", _String2="!=How_recovery_files=!.txt") returned 1 [0156.722] wcsstr (_Str="C:\\Users\\EEBsYm5\\Desktop\\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe", _SubStr="AdobeID.pdf") returned 0x0 [0156.722] wcslen (_String="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\AdobeID.pdf") returned 0x46 [0156.722] CreateFileW (lpFileName="C:\\\\Program Files\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\SUO\\AdobeID.pdf" (normalized: "c:\\program files\\adobe\\reader 10.0\\reader\\idtemplates\\suo\\adobeid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0156.722] ReadFile (hFile=0x88, lpBuffer=0x1130020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x1ad7e4, lpOverlapped=0x0) Process: id = "2" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x7ea163e0" os_pid = "0x9e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9e0" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\EEBsYm5\\Desktop\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000ea01" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 208 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 209 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 210 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 211 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 212 start_va = 0xa30000 end_va = 0xa4efff entry_point = 0xa30000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 213 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 214 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 215 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 216 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 217 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 265 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 266 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 267 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 268 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 269 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 270 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 478 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 479 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 480 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 481 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 482 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 483 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 484 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 485 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 486 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 487 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 488 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 489 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 490 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 491 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 492 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 498 start_va = 0x170000 end_va = 0x237fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 499 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 500 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 507 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 508 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 509 start_va = 0xe0000 end_va = 0xecfff entry_point = 0xe0000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 510 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 511 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 512 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 513 start_va = 0xa50000 end_va = 0x164ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 514 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 517 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 518 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 519 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 520 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 522 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 523 start_va = 0x6f0000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 524 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 525 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 526 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 527 start_va = 0x730000 end_va = 0x9fefff entry_point = 0x730000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 528 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 539 start_va = 0x6b0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 540 start_va = 0x16a0000 end_va = 0x16dffff entry_point = 0x0 region_type = private name = "private_0x00000000016a0000" filename = "" Region: id = 541 start_va = 0x71f20000 end_va = 0x71f29fff entry_point = 0x71f20000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 542 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 543 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Thread: id = 2 os_tid = 0x9ec Thread: id = 3 os_tid = 0xa00 Thread: id = 4 os_tid = 0xa08 Thread: id = 5 os_tid = 0xa0c Thread: id = 6 os_tid = 0xa10 Process: id = "3" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x7ea16660" os_pid = "0xa18" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x9e8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0004a4f4" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 544 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 545 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 546 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 547 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 548 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 549 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 550 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 551 start_va = 0x200000 end_va = 0x2c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 552 start_va = 0x2d0000 end_va = 0x34ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 553 start_va = 0x350000 end_va = 0x351fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 554 start_va = 0x360000 end_va = 0x370fff entry_point = 0x360000 region_type = mapped_file name = "vssvc.exe.mui" filename = "\\Windows\\System32\\en-US\\VSSVC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssvc.exe.mui") Region: id = 555 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 556 start_va = 0x390000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 557 start_va = 0x4a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 558 start_va = 0x4b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 559 start_va = 0x4c0000 end_va = 0x5bcfff entry_point = 0x4c0000 region_type = mapped_file name = "vssvc.exe" filename = "\\Windows\\System32\\VSSVC.exe" (normalized: "c:\\windows\\system32\\vssvc.exe") Region: id = 560 start_va = 0x5c0000 end_va = 0x9b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 561 start_va = 0x9c0000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 562 start_va = 0xac0000 end_va = 0xac0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 563 start_va = 0xb00000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 564 start_va = 0xb90000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 565 start_va = 0xbe0000 end_va = 0xc1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 566 start_va = 0xc30000 end_va = 0xc6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 567 start_va = 0xcf0000 end_va = 0xd2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 568 start_va = 0xd30000 end_va = 0xffefff entry_point = 0xd30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 569 start_va = 0x10a0000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 570 start_va = 0x6e950000 end_va = 0x6e963fff entry_point = 0x6e950000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 571 start_va = 0x6e970000 end_va = 0x6e9aafff entry_point = 0x6e970000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 572 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 573 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 574 start_va = 0x71de0000 end_va = 0x71de6fff entry_point = 0x71de0000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 575 start_va = 0x71f20000 end_va = 0x71f29fff entry_point = 0x71f20000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 576 start_va = 0x71f40000 end_va = 0x71f4ffff entry_point = 0x71f40000 region_type = mapped_file name = "xolehlp.dll" filename = "\\Windows\\System32\\xolehlp.dll" (normalized: "c:\\windows\\system32\\xolehlp.dll") Region: id = 577 start_va = 0x71f50000 end_va = 0x71f57fff entry_point = 0x71f50000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 578 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 579 start_va = 0x73c30000 end_va = 0x73c3efff entry_point = 0x73c30000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 580 start_va = 0x73c40000 end_va = 0x73c4efff entry_point = 0x73c40000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 581 start_va = 0x73c50000 end_va = 0x73c58fff entry_point = 0x73c50000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 582 start_va = 0x73c60000 end_va = 0x73c70fff entry_point = 0x73c60000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 583 start_va = 0x748d0000 end_va = 0x748d8fff entry_point = 0x748d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 584 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 585 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 586 start_va = 0x74fe0000 end_va = 0x74ffafff entry_point = 0x74fe0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 587 start_va = 0x75060000 end_va = 0x75070fff entry_point = 0x75060000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 588 start_va = 0x75220000 end_va = 0x75238fff entry_point = 0x75220000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 589 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 590 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 591 start_va = 0x75400000 end_va = 0x75411fff entry_point = 0x75400000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 592 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 593 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 594 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 595 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 596 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 597 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 598 start_va = 0x764b0000 end_va = 0x7664cfff entry_point = 0x764b0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 599 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 600 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 601 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 602 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 603 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 604 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 605 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 606 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 607 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 608 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 609 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 610 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 611 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 612 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 613 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 614 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 615 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 616 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 617 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 618 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 619 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 620 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 621 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 622 start_va = 0x74320000 end_va = 0x74331fff entry_point = 0x74320000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 623 start_va = 0xad0000 end_va = 0xad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 624 start_va = 0x73820000 end_va = 0x73866fff entry_point = 0x73820000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 751 start_va = 0x74220000 end_va = 0x74314fff entry_point = 0x74220000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 752 start_va = 0x6e240000 end_va = 0x6e2bafff entry_point = 0x6e240000 region_type = mapped_file name = "catsrvut.dll" filename = "\\Windows\\System32\\catsrvut.dll" (normalized: "c:\\windows\\system32\\catsrvut.dll") Region: id = 753 start_va = 0x6f9d0000 end_va = 0x6f9d9fff entry_point = 0x6f9d0000 region_type = mapped_file name = "mfcsubs.dll" filename = "\\Windows\\System32\\mfcsubs.dll" (normalized: "c:\\windows\\system32\\mfcsubs.dll") Thread: id = 7 os_tid = 0xa30 Thread: id = 8 os_tid = 0xa2c Thread: id = 9 os_tid = 0xa28 Thread: id = 10 os_tid = 0xa24 Thread: id = 11 os_tid = 0xa20 Thread: id = 12 os_tid = 0xa1c Thread: id = 13 os_tid = 0xa34 Thread: id = 30 os_tid = 0xa50 Thread: id = 37 os_tid = 0xab4 Thread: id = 59 os_tid = 0xc60 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea16200" os_pid = "0x3e8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0xa18" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c2d0" [0xc000000f], "LOCAL" [0x7] Region: id = 625 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 626 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 627 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 628 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 629 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 630 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 631 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 632 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 633 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 634 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 635 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 636 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x150000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 637 start_va = 0x160000 end_va = 0x163fff entry_point = 0x160000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 638 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 639 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 640 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 641 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 642 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 643 start_va = 0x2d0000 end_va = 0x397fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 644 start_va = 0x3a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 645 start_va = 0x4b0000 end_va = 0x52ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 646 start_va = 0x530000 end_va = 0x922fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 647 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 648 start_va = 0x990000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 649 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 650 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 651 start_va = 0xb30000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 652 start_va = 0xb70000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 653 start_va = 0xbf0000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 654 start_va = 0xc30000 end_va = 0xefefff entry_point = 0xc30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 655 start_va = 0xf00000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 656 start_va = 0xf80000 end_va = 0xfbffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 657 start_va = 0x1010000 end_va = 0x104ffff entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 658 start_va = 0x1070000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 659 start_va = 0x10c0000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 660 start_va = 0x1120000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 661 start_va = 0x11a0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 662 start_va = 0x11b0000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 663 start_va = 0x12b0000 end_va = 0x13affff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 664 start_va = 0x13f0000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 665 start_va = 0x1400000 end_va = 0x14bffff entry_point = 0x1400000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 666 start_va = 0x14f0000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 667 start_va = 0x1550000 end_va = 0x158ffff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 668 start_va = 0x15e0000 end_va = 0x15effff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 669 start_va = 0x1610000 end_va = 0x164ffff entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 670 start_va = 0x16c0000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 671 start_va = 0x17a0000 end_va = 0x17dffff entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 672 start_va = 0x6e5a0000 end_va = 0x6e5acfff entry_point = 0x6e5a0000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 673 start_va = 0x6e5b0000 end_va = 0x6e5b2fff entry_point = 0x6e5b0000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 674 start_va = 0x6e5c0000 end_va = 0x6e5d1fff entry_point = 0x6e5c0000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 675 start_va = 0x6e5e0000 end_va = 0x6e66ffff entry_point = 0x6e5e0000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 676 start_va = 0x6e700000 end_va = 0x6e707fff entry_point = 0x6e700000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 677 start_va = 0x6e8a0000 end_va = 0x6e8f9fff entry_point = 0x6e8a0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 678 start_va = 0x6f290000 end_va = 0x6f2f0fff entry_point = 0x6f290000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 679 start_va = 0x6fcf0000 end_va = 0x6fd3efff entry_point = 0x6fcf0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 680 start_va = 0x6fd40000 end_va = 0x6fd97fff entry_point = 0x6fd40000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 681 start_va = 0x6fff0000 end_va = 0x70004fff entry_point = 0x6fff0000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 682 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 683 start_va = 0x718b0000 end_va = 0x718fbfff entry_point = 0x718b0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 684 start_va = 0x71f60000 end_va = 0x71f67fff entry_point = 0x71f60000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 685 start_va = 0x71f70000 end_va = 0x71f81fff entry_point = 0x71f70000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 686 start_va = 0x733c0000 end_va = 0x733cffff entry_point = 0x733c0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 687 start_va = 0x73670000 end_va = 0x73681fff entry_point = 0x73670000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 688 start_va = 0x73690000 end_va = 0x7369cfff entry_point = 0x73690000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 689 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 690 start_va = 0x737a0000 end_va = 0x737a7fff entry_point = 0x737a0000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 691 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 692 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 693 start_va = 0x73820000 end_va = 0x73866fff entry_point = 0x73820000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 694 start_va = 0x73880000 end_va = 0x73888fff entry_point = 0x73880000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 695 start_va = 0x738f0000 end_va = 0x738fffff entry_point = 0x738f0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 696 start_va = 0x73eb0000 end_va = 0x73ec2fff entry_point = 0x73eb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 697 start_va = 0x748d0000 end_va = 0x748d8fff entry_point = 0x748d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 698 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 699 start_va = 0x74a10000 end_va = 0x74a25fff entry_point = 0x74a10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 700 start_va = 0x74a30000 end_va = 0x74a46fff entry_point = 0x74a30000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 701 start_va = 0x74b20000 end_va = 0x74b27fff entry_point = 0x74b20000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 702 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 703 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 704 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 705 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 706 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 707 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 708 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 709 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 710 start_va = 0x752e0000 end_va = 0x7533efff entry_point = 0x752e0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 711 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 712 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 713 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 714 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 715 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 716 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 717 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 718 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 719 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 720 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 721 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 722 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 723 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 724 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 725 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 726 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 727 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 728 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 729 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 730 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 731 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 732 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 733 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 734 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 735 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 736 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 737 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 738 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 739 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 740 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 741 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 742 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 743 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 744 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 745 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 746 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 747 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 748 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 749 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 750 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 14 os_tid = 0x6bc Thread: id = 15 os_tid = 0x260 Thread: id = 16 os_tid = 0x41c Thread: id = 17 os_tid = 0x608 Thread: id = 18 os_tid = 0x6d4 Thread: id = 19 os_tid = 0x124 Thread: id = 20 os_tid = 0x144 Thread: id = 21 os_tid = 0x7bc Thread: id = 22 os_tid = 0x7a8 Thread: id = 23 os_tid = 0x7a4 Thread: id = 24 os_tid = 0x638 Thread: id = 25 os_tid = 0x62c Thread: id = 26 os_tid = 0x414 Thread: id = 27 os_tid = 0x410 Thread: id = 28 os_tid = 0x400 Thread: id = 29 os_tid = 0x3ec Thread: id = 39 os_tid = 0xb4c Thread: id = 40 os_tid = 0xbc4 Thread: id = 41 os_tid = 0xbe8 Thread: id = 57 os_tid = 0xc4c Thread: id = 65 os_tid = 0xcec Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea16600" os_pid = "0xa38" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0xa18" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0004aa1c" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 754 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 755 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 756 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 757 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 758 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 759 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 760 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 761 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 762 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 763 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 764 start_va = 0x120000 end_va = 0x186fff entry_point = 0x120000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 765 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 766 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 767 start_va = 0x3a0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 768 start_va = 0x3e0000 end_va = 0x45ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 769 start_va = 0x470000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 770 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 771 start_va = 0x510000 end_va = 0x7defff entry_point = 0x510000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 772 start_va = 0x7e0000 end_va = 0x8a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 773 start_va = 0x8b0000 end_va = 0x9b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 774 start_va = 0x9c0000 end_va = 0xdb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 775 start_va = 0xdc0000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 776 start_va = 0xe40000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 777 start_va = 0x6f940000 end_va = 0x6f98efff entry_point = 0x6f940000 region_type = mapped_file name = "swprv.dll" filename = "\\Windows\\System32\\swprv.dll" (normalized: "c:\\windows\\system32\\swprv.dll") Region: id = 778 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 779 start_va = 0x71de0000 end_va = 0x71de6fff entry_point = 0x71de0000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 780 start_va = 0x71f20000 end_va = 0x71f29fff entry_point = 0x71f20000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 781 start_va = 0x71f50000 end_va = 0x71f57fff entry_point = 0x71f50000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 782 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 783 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 784 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 785 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 786 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 787 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 788 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 789 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 790 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 791 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 792 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 793 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 794 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 795 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 796 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 797 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 798 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 799 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 800 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 801 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 802 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 803 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 804 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 805 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 806 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 807 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 808 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 809 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 810 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 811 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 812 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 813 start_va = 0xe80000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 814 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Thread: id = 31 os_tid = 0xa54 Thread: id = 32 os_tid = 0xa4c Thread: id = 33 os_tid = 0xa48 Thread: id = 34 os_tid = 0xa44 Thread: id = 35 os_tid = 0xa40 Thread: id = 36 os_tid = 0xa3c Thread: id = 38 os_tid = 0xab8 Thread: id = 60 os_tid = 0xc64 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7ea16220" os_pid = "0x43c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x3e8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c83d" [0xc000000f], "LOCAL" [0x7] Region: id = 815 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 816 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 817 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 818 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 819 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 820 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 821 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 822 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 823 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 824 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 825 start_va = 0x110000 end_va = 0x117fff entry_point = 0x110000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 826 start_va = 0x120000 end_va = 0x19ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 827 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 828 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 829 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 830 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 831 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 832 start_va = 0x3d0000 end_va = 0x3ddfff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 833 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 834 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 835 start_va = 0x400000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 836 start_va = 0x410000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 837 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 838 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 839 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 840 start_va = 0x550000 end_va = 0x942fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 841 start_va = 0x950000 end_va = 0x950fff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 842 start_va = 0x960000 end_va = 0x961fff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 843 start_va = 0x970000 end_va = 0x974fff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 844 start_va = 0x980000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 845 start_va = 0x9c0000 end_va = 0x9cffff entry_point = 0x9c0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 846 start_va = 0x9d0000 end_va = 0x9dffff entry_point = 0x9d0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 847 start_va = 0x9e0000 end_va = 0x9effff entry_point = 0x9e0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 848 start_va = 0xa00000 end_va = 0xa00fff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 849 start_va = 0xa10000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 850 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 851 start_va = 0xa60000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 852 start_va = 0xaa0000 end_va = 0xaaffff entry_point = 0xaa0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 853 start_va = 0xae0000 end_va = 0xae0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 854 start_va = 0xaf0000 end_va = 0xafffff entry_point = 0xaf0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 855 start_va = 0xb00000 end_va = 0xdcefff entry_point = 0xb00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 856 start_va = 0xdd0000 end_va = 0xddffff entry_point = 0xdd0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 857 start_va = 0xde0000 end_va = 0xdeffff entry_point = 0xde0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 858 start_va = 0xdf0000 end_va = 0xdfffff entry_point = 0xdf0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 859 start_va = 0xe00000 end_va = 0xe0ffff entry_point = 0xe00000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 860 start_va = 0xe10000 end_va = 0xe1ffff entry_point = 0xe10000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 861 start_va = 0xe20000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 862 start_va = 0xe30000 end_va = 0xe3ffff entry_point = 0xe30000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 863 start_va = 0xe40000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 864 start_va = 0xec0000 end_va = 0xecffff entry_point = 0xec0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 865 start_va = 0xed0000 end_va = 0xedffff entry_point = 0xed0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 866 start_va = 0xee0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 867 start_va = 0xf20000 end_va = 0xf2ffff entry_point = 0xf20000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 868 start_va = 0xf30000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 869 start_va = 0xf70000 end_va = 0xf7ffff entry_point = 0xf70000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 870 start_va = 0xf80000 end_va = 0xf8ffff entry_point = 0xf80000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 871 start_va = 0xf90000 end_va = 0xf9ffff entry_point = 0xf90000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 872 start_va = 0xfb0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 873 start_va = 0xff0000 end_va = 0xffffff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 874 start_va = 0x1000000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 875 start_va = 0x1040000 end_va = 0x107ffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 876 start_va = 0x1080000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 877 start_va = 0x1180000 end_va = 0x118ffff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 878 start_va = 0x1190000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 879 start_va = 0x11a0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 880 start_va = 0x11b0000 end_va = 0x11effff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 881 start_va = 0x11f0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 882 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 883 start_va = 0x1210000 end_va = 0x1210fff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 884 start_va = 0x1220000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 885 start_va = 0x1280000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 886 start_va = 0x1380000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 887 start_va = 0x1400000 end_va = 0x140ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 888 start_va = 0x1420000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 889 start_va = 0x14b0000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 890 start_va = 0x14c0000 end_va = 0x15bffff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 891 start_va = 0x15f0000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 892 start_va = 0x1680000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 893 start_va = 0x16f0000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 894 start_va = 0x1730000 end_va = 0x17effff entry_point = 0x1730000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 895 start_va = 0x17f0000 end_va = 0x17fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017f0000" filename = "" Region: id = 896 start_va = 0x1800000 end_va = 0x180ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 897 start_va = 0x1810000 end_va = 0x181ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001810000" filename = "" Region: id = 898 start_va = 0x1820000 end_va = 0x182ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001820000" filename = "" Region: id = 899 start_va = 0x1830000 end_va = 0x183ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001830000" filename = "" Region: id = 900 start_va = 0x1840000 end_va = 0x184ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001840000" filename = "" Region: id = 901 start_va = 0x1870000 end_va = 0x18affff entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 902 start_va = 0x1900000 end_va = 0x19fffff entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 903 start_va = 0x1ac0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 904 start_va = 0x1bc0000 end_va = 0x1bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bc0000" filename = "" Region: id = 905 start_va = 0x1bd0000 end_va = 0x1bdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bd0000" filename = "" Region: id = 906 start_va = 0x1be0000 end_va = 0x1beffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001be0000" filename = "" Region: id = 907 start_va = 0x1bf0000 end_va = 0x1bfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bf0000" filename = "" Region: id = 908 start_va = 0x1c00000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c00000" filename = "" Region: id = 909 start_va = 0x1c10000 end_va = 0x1c1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 910 start_va = 0x1c70000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 911 start_va = 0x1c80000 end_va = 0x1d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 912 start_va = 0x1d40000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 913 start_va = 0x1e40000 end_va = 0x2e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 914 start_va = 0x2e90000 end_va = 0x2ecffff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 915 start_va = 0x6f9e0000 end_va = 0x6fb82fff entry_point = 0x6f9e0000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 916 start_va = 0x6fce0000 end_va = 0x6fcecfff entry_point = 0x6fce0000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 917 start_va = 0x6fcf0000 end_va = 0x6fd3efff entry_point = 0x6fcf0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 918 start_va = 0x6fd40000 end_va = 0x6fd97fff entry_point = 0x6fd40000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 919 start_va = 0x6fda0000 end_va = 0x6fdc7fff entry_point = 0x6fda0000 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 920 start_va = 0x6fdd0000 end_va = 0x6fe0dfff entry_point = 0x6fdd0000 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 921 start_va = 0x70370000 end_va = 0x7037ffff entry_point = 0x70370000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 922 start_va = 0x70380000 end_va = 0x70495fff entry_point = 0x70380000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 923 start_va = 0x704a0000 end_va = 0x704a5fff entry_point = 0x704a0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 924 start_va = 0x704b0000 end_va = 0x704d3fff entry_point = 0x704b0000 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 925 start_va = 0x71900000 end_va = 0x71916fff entry_point = 0x71900000 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 926 start_va = 0x73670000 end_va = 0x73681fff entry_point = 0x73670000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 927 start_va = 0x73690000 end_va = 0x7369cfff entry_point = 0x73690000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 928 start_va = 0x736a0000 end_va = 0x736a4fff entry_point = 0x736a0000 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 929 start_va = 0x736b0000 end_va = 0x736e7fff entry_point = 0x736b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 930 start_va = 0x736f0000 end_va = 0x73712fff entry_point = 0x736f0000 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 931 start_va = 0x737c0000 end_va = 0x737c6fff entry_point = 0x737c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 932 start_va = 0x737d0000 end_va = 0x737ebfff entry_point = 0x737d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 933 start_va = 0x73820000 end_va = 0x73866fff entry_point = 0x73820000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 934 start_va = 0x738a0000 end_va = 0x738b3fff entry_point = 0x738a0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 935 start_va = 0x73c30000 end_va = 0x73c3efff entry_point = 0x73c30000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 936 start_va = 0x73c40000 end_va = 0x73c4efff entry_point = 0x73c40000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 937 start_va = 0x73c50000 end_va = 0x73c58fff entry_point = 0x73c50000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 938 start_va = 0x73d60000 end_va = 0x73d6cfff entry_point = 0x73d60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 939 start_va = 0x74220000 end_va = 0x74314fff entry_point = 0x74220000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 940 start_va = 0x74320000 end_va = 0x74331fff entry_point = 0x74320000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 941 start_va = 0x74960000 end_va = 0x74964fff entry_point = 0x74960000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 942 start_va = 0x74a10000 end_va = 0x74a25fff entry_point = 0x74a10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 943 start_va = 0x74a30000 end_va = 0x74a46fff entry_point = 0x74a30000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 944 start_va = 0x74b20000 end_va = 0x74b27fff entry_point = 0x74b20000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 945 start_va = 0x74b30000 end_va = 0x74b6cfff entry_point = 0x74b30000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 946 start_va = 0x74bf0000 end_va = 0x74c2afff entry_point = 0x74bf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 947 start_va = 0x74cd0000 end_va = 0x74d13fff entry_point = 0x74cd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 948 start_va = 0x74e00000 end_va = 0x74e05fff entry_point = 0x74e00000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 949 start_va = 0x74e10000 end_va = 0x74e4bfff entry_point = 0x74e10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 950 start_va = 0x74e50000 end_va = 0x74e65fff entry_point = 0x74e50000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 951 start_va = 0x74f20000 end_va = 0x74f4afff entry_point = 0x74f20000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 952 start_va = 0x74f80000 end_va = 0x74f96fff entry_point = 0x74f80000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 953 start_va = 0x75010000 end_va = 0x75051fff entry_point = 0x75010000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 954 start_va = 0x75290000 end_va = 0x75297fff entry_point = 0x75290000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 955 start_va = 0x752b0000 end_va = 0x752cafff entry_point = 0x752b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 956 start_va = 0x752d0000 end_va = 0x752dbfff entry_point = 0x752d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 957 start_va = 0x75340000 end_va = 0x75368fff entry_point = 0x75340000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 958 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 959 start_va = 0x75380000 end_va = 0x7538afff entry_point = 0x75380000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 960 start_va = 0x753f0000 end_va = 0x753fbfff entry_point = 0x753f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 961 start_va = 0x75420000 end_va = 0x7553cfff entry_point = 0x75420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 962 start_va = 0x75540000 end_va = 0x75589fff entry_point = 0x75540000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 963 start_va = 0x75590000 end_va = 0x755b6fff entry_point = 0x75590000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 964 start_va = 0x75680000 end_va = 0x75720fff entry_point = 0x75680000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 965 start_va = 0x75780000 end_va = 0x75802fff entry_point = 0x75780000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 966 start_va = 0x75810000 end_va = 0x75815fff entry_point = 0x75810000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 967 start_va = 0x75820000 end_va = 0x75824fff entry_point = 0x75820000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 968 start_va = 0x76480000 end_va = 0x76489fff entry_point = 0x76480000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 969 start_va = 0x76490000 end_va = 0x764aefff entry_point = 0x76490000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 970 start_va = 0x76750000 end_va = 0x768abfff entry_point = 0x76750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 971 start_va = 0x76910000 end_va = 0x769e3fff entry_point = 0x76910000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 972 start_va = 0x769f0000 end_va = 0x76a8ffff entry_point = 0x769f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 973 start_va = 0x76a90000 end_va = 0x76b3bfff entry_point = 0x76a90000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 974 start_va = 0x76b40000 end_va = 0x76c08fff entry_point = 0x76b40000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 975 start_va = 0x76c10000 end_va = 0x76c9efff entry_point = 0x76c10000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 976 start_va = 0x76ca0000 end_va = 0x76d6bfff entry_point = 0x76ca0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 977 start_va = 0x76d70000 end_va = 0x76e0cfff entry_point = 0x76d70000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 978 start_va = 0x76e10000 end_va = 0x76e66fff entry_point = 0x76e10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 979 start_va = 0x77230000 end_va = 0x7736bfff entry_point = 0x77230000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 980 start_va = 0x77380000 end_va = 0x773b4fff entry_point = 0x77380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 981 start_va = 0x773c0000 end_va = 0x773d8fff entry_point = 0x773c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 982 start_va = 0x773e0000 end_va = 0x7742dfff entry_point = 0x773e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 983 start_va = 0x77470000 end_va = 0x77470fff entry_point = 0x77470000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 984 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 985 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 986 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 987 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 988 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 989 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 990 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 991 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 992 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 993 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 994 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 995 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 996 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 997 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 998 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 999 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1000 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1001 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 42 os_tid = 0x93c Thread: id = 43 os_tid = 0x244 Thread: id = 44 os_tid = 0x720 Thread: id = 45 os_tid = 0x6e0 Thread: id = 46 os_tid = 0xc8 Thread: id = 47 os_tid = 0x740 Thread: id = 48 os_tid = 0x724 Thread: id = 49 os_tid = 0x688 Thread: id = 50 os_tid = 0x5f0 Thread: id = 51 os_tid = 0x468 Thread: id = 52 os_tid = 0x464 Thread: id = 53 os_tid = 0x460 Thread: id = 54 os_tid = 0x454 Thread: id = 55 os_tid = 0x444 Thread: id = 56 os_tid = 0x440 Thread: id = 58 os_tid = 0xc50 Thread: id = 61 os_tid = 0xc7c Thread: id = 62 os_tid = 0xcb4 Thread: id = 63 os_tid = 0xcc0 Thread: id = 64 os_tid = 0xce0 Thread: id = 66 os_tid = 0xcf4 Process: id = "7" image_name = "System" filename = "" page_root = "0x185000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1050 start_va = 0x10000 end_va = 0x32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Thread: id = 67 os_tid = 0x8 Thread: id = 68 os_tid = 0x14 Thread: id = 69 os_tid = 0x10 Thread: id = 70 os_tid = 0xc Thread: id = 71 os_tid = 0x18 Thread: id = 72 os_tid = 0x1c Thread: id = 73 os_tid = 0x20 Thread: id = 74 os_tid = 0x24 Thread: id = 75 os_tid = 0x28 Thread: id = 76 os_tid = 0x2c Thread: id = 77 os_tid = 0x30 Thread: id = 78 os_tid = 0x34 Thread: id = 79 os_tid = 0x38 Thread: id = 80 os_tid = 0x3c Thread: id = 81 os_tid = 0x40 Thread: id = 82 os_tid = 0x44 Thread: id = 83 os_tid = 0x48 Thread: id = 84 os_tid = 0x74 Thread: id = 85 os_tid = 0x4c Thread: id = 86 os_tid = 0x50 Thread: id = 87 os_tid = 0x54 Thread: id = 88 os_tid = 0x58 Thread: id = 89 os_tid = 0x5c Thread: id = 90 os_tid = 0x60 Thread: id = 91 os_tid = 0x64 Thread: id = 92 os_tid = 0x68 Thread: id = 93 os_tid = 0x6c Thread: id = 94 os_tid = 0x70 Thread: id = 95 os_tid = 0x78 Thread: id = 96 os_tid = 0x7c Thread: id = 97 os_tid = 0x80 Thread: id = 98 os_tid = 0x84 Thread: id = 99 os_tid = 0x88 Thread: id = 100 os_tid = 0x8c Thread: id = 101 os_tid = 0x90 Thread: id = 102 os_tid = 0x94 Thread: id = 103 os_tid = 0x98 Thread: id = 104 os_tid = 0x9c Thread: id = 105 os_tid = 0xa0 Thread: id = 106 os_tid = 0xa4 Thread: id = 107 os_tid = 0xa8 Thread: id = 108 os_tid = 0xac Thread: id = 109 os_tid = 0xb0 Thread: id = 110 os_tid = 0xb4 Thread: id = 111 os_tid = 0xb8 Thread: id = 112 os_tid = 0xbc Thread: id = 113 os_tid = 0xc0 Thread: id = 114 os_tid = 0xc4 Thread: id = 115 os_tid = 0xc8 Thread: id = 117 os_tid = 0xcc Thread: id = 118 os_tid = 0xdc Thread: id = 119 os_tid = 0xd0 Thread: id = 120 os_tid = 0xd4 Thread: id = 121 os_tid = 0xd8 Thread: id = 122 os_tid = 0xe0 Thread: id = 124 os_tid = 0xec Thread: id = 125 os_tid = 0xf0 Thread: id = 126 os_tid = 0xf4 Thread: id = 129 os_tid = 0x104 Thread: id = 130 os_tid = 0x108 Thread: id = 131 os_tid = 0x10c Thread: id = 132 os_tid = 0x110 Thread: id = 133 os_tid = 0x114 Thread: id = 134 os_tid = 0x118 Thread: id = 138 os_tid = 0x130 Thread: id = 139 os_tid = 0x134 Thread: id = 140 os_tid = 0x138 Thread: id = 141 os_tid = 0x13c Thread: id = 158 os_tid = 0x190 Thread: id = 210 os_tid = 0x270 Thread: id = 239 os_tid = 0x2ec Thread: id = 247 os_tid = 0x310 [0277.407] KeInitializeEvent (in: Event=0x9156aaf4, Type=0x1, State=0 | out: Event=0x9156aaf4) [0277.407] KeInitializeEvent (in: Event=0x9156ab14, Type=0x1, State=0 | out: Event=0x9156ab14) [0277.407] KeInitializeEvent (in: Event=0x9156ab34, Type=0x1, State=0 | out: Event=0x9156ab34) [0277.407] KeInitializeEvent (in: Event=0x9156ab54, Type=0x1, State=0 | out: Event=0x9156ab54) [0277.408] KeInitializeEvent (in: Event=0x9156ab74, Type=0x1, State=0 | out: Event=0x9156ab74) [0277.408] KeInitializeEvent (in: Event=0x9156ab94, Type=0x1, State=0 | out: Event=0x9156ab94) [0277.408] KeInitializeEvent (in: Event=0x9156abb4, Type=0x1, State=0 | out: Event=0x9156abb4) [0277.408] KeInitializeEvent (in: Event=0x9156abd4, Type=0x1, State=0 | out: Event=0x9156abd4) [0277.408] KeInitializeEvent (in: Event=0x9156abf4, Type=0x1, State=0 | out: Event=0x9156abf4) [0277.408] KeInitializeEvent (in: Event=0x9156ac14, Type=0x1, State=0 | out: Event=0x9156ac14) [0277.408] KeInitializeEvent (in: Event=0x9156ac34, Type=0x1, State=0 | out: Event=0x9156ac34) [0277.408] KeInitializeEvent (in: Event=0x9156ac54, Type=0x1, State=0 | out: Event=0x9156ac54) [0277.409] imp_WdfDriverCreate () returned 0x0 [0277.411] imp_WdfControlDeviceInitAllocate () returned 0x85eb45d8 [0277.411] ExInitializeResourceLite (in: Resource=0x9156aec0 | out: Resource=0x9156aec0) returned 0x0 [0277.411] ExInitializeResourceLite (in: Resource=0x9156b360 | out: Resource=0x9156b360) returned 0x0 [0277.411] ExInitializeResourceLite (in: Resource=0x9156af00 | out: Resource=0x9156af00) returned 0x0 [0277.411] ExAllocatePoolWithTag (PoolType=0x1, NumberOfBytes=0x15e7, Tag=0x5045) returned 0x9583d000 [0277.412] HalpHpetClockInterrupt () returned 0xd77 [0277.429] PsSetCreateProcessNotifyRoutine (NotifyRoutine=0x9156d1d9, Remove=0) returned 0x0 [0277.429] ExFreePoolWithTag (P=0x9583d000, Tag=0x0) Thread: id = 289 os_tid = 0x3c4 Thread: id = 290 os_tid = 0x3c8 Thread: id = 342 os_tid = 0x4b4 Thread: id = 371 os_tid = 0x520 Thread: id = 372 os_tid = 0x524 Thread: id = 373 os_tid = 0x528 Thread: id = 401 os_tid = 0x5a8 Thread: id = 410 os_tid = 0x5cc Thread: id = 411 os_tid = 0x5d0 Thread: id = 413 os_tid = 0x5d8 Thread: id = 429 os_tid = 0x620 Thread: id = 430 os_tid = 0x624 Thread: id = 455 os_tid = 0x684 Thread: id = 462 os_tid = 0x6a0 Thread: id = 464 os_tid = 0x6a8 Thread: id = 467 os_tid = 0x6b4 Thread: id = 469 os_tid = 0x6bc Thread: id = 471 os_tid = 0x6c4 Thread: id = 472 os_tid = 0x6c8 Thread: id = 529 os_tid = 0x7b8 Process: id = "8" image_name = "System Idle Process" filename = "" page_root = "0x185000" os_pid = "0x0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 116 os_tid = 0x0 Process: id = "9" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x7f1fa020" os_pid = "0xe4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1112 start_va = 0x0 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x (null)" filename = "" Region: id = 1113 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1114 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1115 start_va = 0x476c0000 end_va = 0x476d2fff entry_point = 0x476c0000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 1116 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1117 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1118 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1119 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1120 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 123 os_tid = 0xe8 Thread: id = 127 os_tid = 0xf8 Thread: id = 135 os_tid = 0x11c Thread: id = 146 os_tid = 0x160 Process: id = "10" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x7f1fa040" os_pid = "0xfc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xe4" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1121 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1122 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1123 start_va = 0xd90000 end_va = 0xe35fff entry_point = 0xd90000 region_type = mapped_file name = "autochk.exe" filename = "\\Windows\\System32\\autochk.exe" (normalized: "c:\\windows\\system32\\autochk.exe") Region: id = 1124 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1125 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1126 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1127 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1128 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 128 os_tid = 0x100 Process: id = "11" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x7f1fa040" os_pid = "0x120" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xe4" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000000 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1139 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1140 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1141 start_va = 0x476c0000 end_va = 0x476d2fff entry_point = 0x476c0000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 1142 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1143 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1144 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1145 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1146 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 136 os_tid = 0x124 Process: id = "12" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x7f1fa060" os_pid = "0x128" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x120" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1149 start_va = 0x0 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x (null)" filename = "" Region: id = 1150 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1151 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1152 start_va = 0x4a3f0000 end_va = 0x4a3f4fff entry_point = 0x4a3f0000 region_type = mapped_file name = "csrss.exe" filename = "\\Windows\\System32\\csrss.exe" (normalized: "c:\\windows\\system32\\csrss.exe") Region: id = 1153 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1154 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1155 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1156 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1157 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1158 start_va = 0x75380000 end_va = 0x7538cfff entry_point = 0x75380000 region_type = mapped_file name = "csrsrv.dll" filename = "\\Windows\\System32\\csrsrv.dll" (normalized: "c:\\windows\\system32\\csrsrv.dll") Region: id = 1159 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "basesrv.dll" filename = "\\Windows\\System32\\basesrv.dll" (normalized: "c:\\windows\\system32\\basesrv.dll") Region: id = 1160 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1161 start_va = 0x75340000 end_va = 0x7536bfff entry_point = 0x75340000 region_type = mapped_file name = "winsrv.dll" filename = "\\Windows\\System32\\winsrv.dll" (normalized: "c:\\windows\\system32\\winsrv.dll") Region: id = 1162 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1163 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1164 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1165 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1166 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1167 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1168 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1173 start_va = 0x100000 end_va = 0x106fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1174 start_va = 0x110000 end_va = 0x111fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1175 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 1176 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1177 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x1e0000 region_type = mapped_file name = "vgasys.fon" filename = "\\Windows\\Fonts\\vgasys.fon" (normalized: "c:\\windows\\fonts\\vgasys.fon") Region: id = 1178 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1179 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 1180 start_va = 0x540000 end_va = 0x932fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 1181 start_va = 0x9b0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 1182 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 1183 start_va = 0x75330000 end_va = 0x75338fff entry_point = 0x75330000 region_type = mapped_file name = "sxssrv.dll" filename = "\\Windows\\System32\\sxssrv.dll" (normalized: "c:\\windows\\system32\\sxssrv.dll") Region: id = 1184 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1185 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1311 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1312 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1313 start_va = 0x220000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1314 start_va = 0x2a0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1315 start_va = 0x2f0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1316 start_va = 0x960000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 1317 start_va = 0xb30000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 1318 start_va = 0xb70000 end_va = 0xc37fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 1319 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1320 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1321 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1322 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1358 start_va = 0x140000 end_va = 0x146fff entry_point = 0x140000 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 1359 start_va = 0x150000 end_va = 0x16ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1360 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 1361 start_va = 0xa80000 end_va = 0xafefff entry_point = 0xa80000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1362 start_va = 0xc40000 end_va = 0x183ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 1363 start_va = 0x752b0000 end_va = 0x7530efff entry_point = 0x752b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1364 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1365 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1366 start_va = 0x210000 end_va = 0x213fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1376 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1387 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1398 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1399 start_va = 0x1960000 end_va = 0x199ffff entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 1400 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1552 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1553 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 1554 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 1555 start_va = 0x19f0000 end_va = 0x1a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000019f0000" filename = "" Region: id = 1556 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1752 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 1753 start_va = 0x1840000 end_va = 0x18bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001840000" filename = "" Region: id = 2718 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 2719 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 2720 start_va = 0x940000 end_va = 0x94ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 2721 start_va = 0x950000 end_va = 0x951fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 2722 start_va = 0x9a0000 end_va = 0x9affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 2723 start_va = 0x9f0000 end_va = 0x9fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 2724 start_va = 0xa00000 end_va = 0xa0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 2725 start_va = 0xa10000 end_va = 0xa11fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 2726 start_va = 0x18c0000 end_va = 0x193ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000018c0000" filename = "" Region: id = 2727 start_va = 0x1a30000 end_va = 0x1aaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a30000" filename = "" Region: id = 2731 start_va = 0xa10000 end_va = 0xa10fff entry_point = 0xa10000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2732 start_va = 0xa20000 end_va = 0xa21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 3213 start_va = 0xa10000 end_va = 0xa1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 3214 start_va = 0xa20000 end_va = 0xa2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 3215 start_va = 0xa30000 end_va = 0xa31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 3558 start_va = 0xa30000 end_va = 0xa3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 3559 start_va = 0xb00000 end_va = 0xb00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 3889 start_va = 0xa20000 end_va = 0xa21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 3890 start_va = 0xb00000 end_va = 0xb0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 3891 start_va = 0xb10000 end_va = 0xb1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 4408 start_va = 0xa20000 end_va = 0xa2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 4409 start_va = 0xb20000 end_va = 0xb21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4605 start_va = 0xb20000 end_va = 0xb20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4659 start_va = 0xb20000 end_va = 0xb2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4660 start_va = 0x1940000 end_va = 0x1940fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001940000" filename = "" Region: id = 4661 start_va = 0x1ab0000 end_va = 0x1b2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ab0000" filename = "" Region: id = 4730 start_va = 0x1940000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001940000" filename = "" Region: id = 4731 start_va = 0x1950000 end_va = 0x1951fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001950000" filename = "" Region: id = 4754 start_va = 0x1950000 end_va = 0x1951fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001950000" filename = "" Thread: id = 137 os_tid = 0x12c Thread: id = 142 os_tid = 0x140 Thread: id = 143 os_tid = 0x144 Thread: id = 144 os_tid = 0x148 Thread: id = 145 os_tid = 0x14c Thread: id = 154 os_tid = 0x184 Thread: id = 159 os_tid = 0x194 Thread: id = 160 os_tid = 0x198 Thread: id = 165 os_tid = 0x1c4 Thread: id = 174 os_tid = 0x1dc Process: id = "13" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x7f1fa080" os_pid = "0x150" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xe4" cmd_line = "\\SystemRoot\\System32\\smss.exe 00000001 0000003c " cur_dir = "C:\\Windows\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1238 start_va = 0x10000 end_va = 0x10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1239 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1240 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1241 start_va = 0x476c0000 end_va = 0x476d2fff entry_point = 0x476c0000 region_type = mapped_file name = "smss.exe" filename = "\\Windows\\System32\\smss.exe" (normalized: "c:\\windows\\system32\\smss.exe") Region: id = 1242 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1243 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1244 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1245 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1246 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 147 os_tid = 0x154 Process: id = "14" image_name = "wininit.exe" filename = "c:\\windows\\system32\\wininit.exe" page_root = "0x7f1fa0a0" os_pid = "0x158" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x120" cmd_line = "wininit.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1186 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1187 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1188 start_va = 0xce0000 end_va = 0xcf9fff entry_point = 0xce0000 region_type = mapped_file name = "wininit.exe" filename = "\\Windows\\System32\\wininit.exe" (normalized: "c:\\windows\\system32\\wininit.exe") Region: id = 1189 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1190 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1191 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1192 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 1193 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1247 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1248 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1249 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1250 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1251 start_va = 0x20000 end_va = 0x86fff entry_point = 0x20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1252 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1253 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1254 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1255 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1256 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1257 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1258 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1259 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1260 start_va = 0x170000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1261 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1262 start_va = 0x3a0000 end_va = 0x467fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 1263 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1264 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1265 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1266 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1267 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 1268 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 1269 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1270 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1271 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1272 start_va = 0x580000 end_va = 0x972fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1273 start_va = 0x980000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 1274 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 1275 start_va = 0xae0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 1276 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1277 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1278 start_va = 0x9a0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 1279 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1288 start_va = 0x75300000 end_va = 0x75303fff entry_point = 0x75300000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 1289 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1290 start_va = 0xd00000 end_va = 0x1c82fff entry_point = 0xd00000 region_type = mapped_file name = "batang.ttc" filename = "\\Windows\\Fonts\\batang.ttc" (normalized: "c:\\windows\\fonts\\batang.ttc") Region: id = 1291 start_va = 0xd00000 end_va = 0x19e5fff entry_point = 0xd00000 region_type = mapped_file name = "gulim.ttc" filename = "\\Windows\\Fonts\\gulim.ttc" (normalized: "c:\\windows\\fonts\\gulim.ttc") Region: id = 1292 start_va = 0xd00000 end_va = 0x1122fff entry_point = 0xd00000 region_type = mapped_file name = "malgun.ttf" filename = "\\Windows\\Fonts\\malgun.ttf" (normalized: "c:\\windows\\fonts\\malgun.ttf") Region: id = 1293 start_va = 0xd00000 end_va = 0x114efff entry_point = 0xd00000 region_type = mapped_file name = "malgunbd.ttf" filename = "\\Windows\\Fonts\\malgunbd.ttf" (normalized: "c:\\windows\\fonts\\malgunbd.ttf") Region: id = 1294 start_va = 0xd00000 end_va = 0x1617fff entry_point = 0xd00000 region_type = mapped_file name = "meiryo.ttc" filename = "\\Windows\\Fonts\\meiryo.ttc" (normalized: "c:\\windows\\fonts\\meiryo.ttc") Region: id = 1295 start_va = 0xd00000 end_va = 0x164cfff entry_point = 0xd00000 region_type = mapped_file name = "meiryob.ttc" filename = "\\Windows\\Fonts\\meiryob.ttc" (normalized: "c:\\windows\\fonts\\meiryob.ttc") Region: id = 1296 start_va = 0xd00000 end_va = 0x21a8fff entry_point = 0xd00000 region_type = mapped_file name = "msjh.ttf" filename = "\\Windows\\Fonts\\msjh.ttf" (normalized: "c:\\windows\\fonts\\msjh.ttf") Region: id = 1297 start_va = 0xd00000 end_va = 0x1ad6fff entry_point = 0xd00000 region_type = mapped_file name = "msjhbd.ttf" filename = "\\Windows\\Fonts\\msjhbd.ttf" (normalized: "c:\\windows\\fonts\\msjhbd.ttf") Region: id = 1298 start_va = 0xd00000 end_va = 0x21c2fff entry_point = 0xd00000 region_type = mapped_file name = "msyh.ttf" filename = "\\Windows\\Fonts\\msyh.ttf" (normalized: "c:\\windows\\fonts\\msyh.ttf") Region: id = 1299 start_va = 0xd00000 end_va = 0x1aedfff entry_point = 0xd00000 region_type = mapped_file name = "msyhbd.ttf" filename = "\\Windows\\Fonts\\msyhbd.ttf" (normalized: "c:\\windows\\fonts\\msyhbd.ttf") Region: id = 1300 start_va = 0xd00000 end_va = 0x2bb9fff entry_point = 0xd00000 region_type = mapped_file name = "mingliu.ttc" filename = "\\Windows\\Fonts\\mingliu.ttc" (normalized: "c:\\windows\\fonts\\mingliu.ttc") Region: id = 1301 start_va = 0xd00000 end_va = 0x2d3dfff entry_point = 0xd00000 region_type = mapped_file name = "mingliub.ttc" filename = "\\Windows\\Fonts\\mingliub.ttc" (normalized: "c:\\windows\\fonts\\mingliub.ttc") Region: id = 1302 start_va = 0xd00000 end_va = 0x15c0fff entry_point = 0xd00000 region_type = mapped_file name = "msgothic.ttc" filename = "\\Windows\\Fonts\\msgothic.ttc" (normalized: "c:\\windows\\fonts\\msgothic.ttc") Region: id = 1303 start_va = 0xd00000 end_va = 0x1697fff entry_point = 0xd00000 region_type = mapped_file name = "msmincho.ttc" filename = "\\Windows\\Fonts\\msmincho.ttc" (normalized: "c:\\windows\\fonts\\msmincho.ttc") Region: id = 1304 start_va = 0x170000 end_va = 0x1eefff entry_point = 0x170000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1305 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1306 start_va = 0x170000 end_va = 0x1e9fff entry_point = 0x170000 region_type = mapped_file name = "segoeuib.ttf" filename = "\\Windows\\Fonts\\segoeuib.ttf" (normalized: "c:\\windows\\fonts\\segoeuib.ttf") Region: id = 1307 start_va = 0xd00000 end_va = 0x1b9dfff entry_point = 0xd00000 region_type = mapped_file name = "simsun.ttc" filename = "\\Windows\\Fonts\\simsun.ttc" (normalized: "c:\\windows\\fonts\\simsun.ttc") Region: id = 1308 start_va = 0xd00000 end_va = 0x1bb1fff entry_point = 0xd00000 region_type = mapped_file name = "simsunb.ttf" filename = "\\Windows\\Fonts\\simsunb.ttf" (normalized: "c:\\windows\\fonts\\simsunb.ttf") Region: id = 1309 start_va = 0x170000 end_va = 0x21afff entry_point = 0x170000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 1310 start_va = 0x170000 end_va = 0x20ffff entry_point = 0x170000 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 1323 start_va = 0xb20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1331 start_va = 0x110000 end_va = 0x12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1332 start_va = 0x752f0000 end_va = 0x752f3fff entry_point = 0x752f0000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 1333 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 1334 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 1335 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_arrow.cur" filename = "\\Windows\\Cursors\\aero_arrow.cur" (normalized: "c:\\windows\\cursors\\aero_arrow.cur") Region: id = 1336 start_va = 0x580000 end_va = 0x972fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1337 start_va = 0x170000 end_va = 0x1adfff entry_point = 0x170000 region_type = mapped_file name = "aero_busy.ani" filename = "\\Windows\\Cursors\\aero_busy.ani" (normalized: "c:\\windows\\cursors\\aero_busy.ani") Region: id = 1338 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_up.cur" filename = "\\Windows\\Cursors\\aero_up.cur" (normalized: "c:\\windows\\cursors\\aero_up.cur") Region: id = 1339 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_nwse.cur" filename = "\\Windows\\Cursors\\aero_nwse.cur" (normalized: "c:\\windows\\cursors\\aero_nwse.cur") Region: id = 1340 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_nesw.cur" filename = "\\Windows\\Cursors\\aero_nesw.cur" (normalized: "c:\\windows\\cursors\\aero_nesw.cur") Region: id = 1341 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_ew.cur" filename = "\\Windows\\Cursors\\aero_ew.cur" (normalized: "c:\\windows\\cursors\\aero_ew.cur") Region: id = 1342 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_ns.cur" filename = "\\Windows\\Cursors\\aero_ns.cur" (normalized: "c:\\windows\\cursors\\aero_ns.cur") Region: id = 1343 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_move.cur" filename = "\\Windows\\Cursors\\aero_move.cur" (normalized: "c:\\windows\\cursors\\aero_move.cur") Region: id = 1344 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_unavail.cur" filename = "\\Windows\\Cursors\\aero_unavail.cur" (normalized: "c:\\windows\\cursors\\aero_unavail.cur") Region: id = 1345 start_va = 0x170000 end_va = 0x1adfff entry_point = 0x170000 region_type = mapped_file name = "aero_working.ani" filename = "\\Windows\\Cursors\\aero_working.ani" (normalized: "c:\\windows\\cursors\\aero_working.ani") Region: id = 1346 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_helpsel.cur" filename = "\\Windows\\Cursors\\aero_helpsel.cur" (normalized: "c:\\windows\\cursors\\aero_helpsel.cur") Region: id = 1347 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_pen.cur" filename = "\\Windows\\Cursors\\aero_pen.cur" (normalized: "c:\\windows\\cursors\\aero_pen.cur") Region: id = 1348 start_va = 0x170000 end_va = 0x173fff entry_point = 0x170000 region_type = mapped_file name = "aero_link.cur" filename = "\\Windows\\Cursors\\aero_link.cur" (normalized: "c:\\windows\\cursors\\aero_link.cur") Region: id = 1349 start_va = 0x75300000 end_va = 0x75305fff entry_point = 0x75300000 region_type = mapped_file name = "wls0wndh.dll" filename = "\\Windows\\System32\\WlS0WndH.dll" (normalized: "c:\\windows\\system32\\wls0wndh.dll") Region: id = 1350 start_va = 0xd00000 end_va = 0x18fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 1351 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1352 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1353 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1354 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1355 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1356 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1357 start_va = 0x1900000 end_va = 0x1bcefff entry_point = 0x1900000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1703 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 1704 start_va = 0x1c10000 end_va = 0x1c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c10000" filename = "" Region: id = 1705 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1719 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1958 start_va = 0x1bd0000 end_va = 0x1c0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 1959 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1960 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1961 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1962 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1963 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2001 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2002 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2003 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2004 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2005 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2006 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2007 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2008 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2009 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2010 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2011 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2012 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2013 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2014 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2015 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2172 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Thread: id = 148 os_tid = 0x15c Thread: id = 155 os_tid = 0x188 Thread: id = 156 os_tid = 0x18c Thread: id = 162 os_tid = 0x1a0 Thread: id = 163 os_tid = 0x1a4 Thread: id = 164 os_tid = 0x1b8 Thread: id = 177 os_tid = 0x1ec Thread: id = 223 os_tid = 0x2b0 Process: id = "15" image_name = "csrss.exe" filename = "c:\\windows\\system32\\csrss.exe" page_root = "0x7f1fa040" os_pid = "0x164" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x150" cmd_line = "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1194 start_va = 0x0 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x (null)" filename = "" Region: id = 1195 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1196 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1197 start_va = 0x4a3f0000 end_va = 0x4a3f4fff entry_point = 0x4a3f0000 region_type = mapped_file name = "csrss.exe" filename = "\\Windows\\System32\\csrss.exe" (normalized: "c:\\windows\\system32\\csrss.exe") Region: id = 1198 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1199 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1200 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1201 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1202 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1203 start_va = 0x75380000 end_va = 0x7538cfff entry_point = 0x75380000 region_type = mapped_file name = "csrsrv.dll" filename = "\\Windows\\System32\\csrsrv.dll" (normalized: "c:\\windows\\system32\\csrsrv.dll") Region: id = 1204 start_va = 0x100000 end_va = 0x166fff entry_point = 0x100000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1205 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1206 start_va = 0x75340000 end_va = 0x7536bfff entry_point = 0x75340000 region_type = mapped_file name = "winsrv.dll" filename = "\\Windows\\System32\\winsrv.dll" (normalized: "c:\\windows\\system32\\winsrv.dll") Region: id = 1207 start_va = 0x75370000 end_va = 0x7537dfff entry_point = 0x75370000 region_type = mapped_file name = "basesrv.dll" filename = "\\Windows\\System32\\basesrv.dll" (normalized: "c:\\windows\\system32\\basesrv.dll") Region: id = 1208 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1209 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1210 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1211 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1212 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1213 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1214 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1215 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1223 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1224 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1225 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1226 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x1a0000 region_type = mapped_file name = "vgasys.fon" filename = "\\Windows\\Fonts\\vgasys.fon" (normalized: "c:\\windows\\fonts\\vgasys.fon") Region: id = 1227 start_va = 0x2c0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 1228 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 1229 start_va = 0x5d0000 end_va = 0x9c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 1230 start_va = 0xa90000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 1231 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1232 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1233 start_va = 0x75330000 end_va = 0x75338fff entry_point = 0x75330000 region_type = mapped_file name = "sxssrv.dll" filename = "\\Windows\\System32\\sxssrv.dll" (normalized: "c:\\windows\\system32\\sxssrv.dll") Region: id = 1234 start_va = 0x240000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1235 start_va = 0xa00000 end_va = 0xa3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 1236 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1237 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1497 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1498 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1499 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1500 start_va = 0xad0000 end_va = 0xb97fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 1501 start_va = 0xc00000 end_va = 0xc3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 1502 start_va = 0xcd0000 end_va = 0xd0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 1503 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1504 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2095 start_va = 0x210000 end_va = 0x216fff entry_point = 0x210000 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 2096 start_va = 0x220000 end_va = 0x23ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 2097 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 2098 start_va = 0x290000 end_va = 0x291fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 2099 start_va = 0x540000 end_va = 0x5befff entry_point = 0x540000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 2100 start_va = 0xd10000 end_va = 0x190ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 2101 start_va = 0x752b0000 end_va = 0x7530efff entry_point = 0x752b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2102 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2103 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2104 start_va = 0x2a0000 end_va = 0x2a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2114 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2151 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2152 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2155 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2162 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x2b0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2163 start_va = 0x300000 end_va = 0x301fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 2180 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2191 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2304 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2309 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2321 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3171 start_va = 0x1910000 end_va = 0x19affff entry_point = 0x1910000 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 3217 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 3218 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3219 start_va = 0x5d0000 end_va = 0x9c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 3220 start_va = 0x2b0000 end_va = 0x2b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3230 start_va = 0x2b0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3371 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3372 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 3373 start_va = 0x310000 end_va = 0x311fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 3540 start_va = 0x310000 end_va = 0x310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 4327 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 4328 start_va = 0x320000 end_va = 0x321fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 5281 start_va = 0x2a0000 end_va = 0x2a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5305 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5373 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 5374 start_va = 0x300000 end_va = 0x301fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 5435 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 5436 start_va = 0x320000 end_va = 0x321fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 5459 start_va = 0x320000 end_va = 0x322fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Thread: id = 149 os_tid = 0x168 Thread: id = 150 os_tid = 0x16c Thread: id = 151 os_tid = 0x170 Thread: id = 152 os_tid = 0x174 Thread: id = 153 os_tid = 0x178 Thread: id = 161 os_tid = 0x19c Thread: id = 171 os_tid = 0x1d0 Thread: id = 172 os_tid = 0x1d4 Process: id = "16" image_name = "winlogon.exe" filename = "c:\\windows\\system32\\winlogon.exe" page_root = "0x7f1fa0c0" os_pid = "0x17c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x150" cmd_line = "winlogon.exe" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1280 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1281 start_va = 0x1e0000 end_va = 0x227fff entry_point = 0x1e0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1282 start_va = 0x250000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1283 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1284 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1285 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1286 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1287 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1324 start_va = 0x290000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1325 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1326 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1327 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1328 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1329 start_va = 0x20000 end_va = 0x86fff entry_point = 0x20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1330 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1402 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1403 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1404 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1405 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1406 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1407 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1408 start_va = 0x530000 end_va = 0x6dffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1409 start_va = 0x90000 end_va = 0x157fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 1410 start_va = 0x160000 end_va = 0x17cfff entry_point = 0x160000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1411 start_va = 0x160000 end_va = 0x17cfff entry_point = 0x160000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1412 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1413 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1414 start_va = 0x290000 end_va = 0x390fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 1415 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1416 start_va = 0x160000 end_va = 0x166fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1417 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1418 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1419 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1420 start_va = 0x6e0000 end_va = 0xad2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1421 start_va = 0x530000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1422 start_va = 0x6d0000 end_va = 0x6dffff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1423 start_va = 0x530000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1424 start_va = 0x630000 end_va = 0x66ffff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1425 start_va = 0xae0000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 1426 start_va = 0xae0000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 1427 start_va = 0xc90000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 1428 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1429 start_va = 0xcd0000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 1430 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1431 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1432 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1433 start_va = 0xb70000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 1434 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1435 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1436 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1437 start_va = 0xb10000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 1438 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1474 start_va = 0x75210000 end_va = 0x75213fff entry_point = 0x75210000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 1475 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1476 start_va = 0xe70000 end_va = 0x1df2fff entry_point = 0xe70000 region_type = mapped_file name = "batang.ttc" filename = "\\Windows\\Fonts\\batang.ttc" (normalized: "c:\\windows\\fonts\\batang.ttc") Region: id = 1477 start_va = 0xe70000 end_va = 0x1b55fff entry_point = 0xe70000 region_type = mapped_file name = "gulim.ttc" filename = "\\Windows\\Fonts\\gulim.ttc" (normalized: "c:\\windows\\fonts\\gulim.ttc") Region: id = 1478 start_va = 0xe70000 end_va = 0x1292fff entry_point = 0xe70000 region_type = mapped_file name = "malgun.ttf" filename = "\\Windows\\Fonts\\malgun.ttf" (normalized: "c:\\windows\\fonts\\malgun.ttf") Region: id = 1479 start_va = 0xe70000 end_va = 0x12befff entry_point = 0xe70000 region_type = mapped_file name = "malgunbd.ttf" filename = "\\Windows\\Fonts\\malgunbd.ttf" (normalized: "c:\\windows\\fonts\\malgunbd.ttf") Region: id = 1480 start_va = 0xe70000 end_va = 0x1787fff entry_point = 0xe70000 region_type = mapped_file name = "meiryo.ttc" filename = "\\Windows\\Fonts\\meiryo.ttc" (normalized: "c:\\windows\\fonts\\meiryo.ttc") Region: id = 1481 start_va = 0xe70000 end_va = 0x17bcfff entry_point = 0xe70000 region_type = mapped_file name = "meiryob.ttc" filename = "\\Windows\\Fonts\\meiryob.ttc" (normalized: "c:\\windows\\fonts\\meiryob.ttc") Region: id = 1482 start_va = 0xe70000 end_va = 0x2318fff entry_point = 0xe70000 region_type = mapped_file name = "msjh.ttf" filename = "\\Windows\\Fonts\\msjh.ttf" (normalized: "c:\\windows\\fonts\\msjh.ttf") Region: id = 1483 start_va = 0xe70000 end_va = 0x1c46fff entry_point = 0xe70000 region_type = mapped_file name = "msjhbd.ttf" filename = "\\Windows\\Fonts\\msjhbd.ttf" (normalized: "c:\\windows\\fonts\\msjhbd.ttf") Region: id = 1484 start_va = 0xe70000 end_va = 0x2332fff entry_point = 0xe70000 region_type = mapped_file name = "msyh.ttf" filename = "\\Windows\\Fonts\\msyh.ttf" (normalized: "c:\\windows\\fonts\\msyh.ttf") Region: id = 1485 start_va = 0xe70000 end_va = 0x1c5dfff entry_point = 0xe70000 region_type = mapped_file name = "msyhbd.ttf" filename = "\\Windows\\Fonts\\msyhbd.ttf" (normalized: "c:\\windows\\fonts\\msyhbd.ttf") Region: id = 1486 start_va = 0xe70000 end_va = 0x2d29fff entry_point = 0xe70000 region_type = mapped_file name = "mingliu.ttc" filename = "\\Windows\\Fonts\\mingliu.ttc" (normalized: "c:\\windows\\fonts\\mingliu.ttc") Region: id = 1487 start_va = 0xe70000 end_va = 0x2eadfff entry_point = 0xe70000 region_type = mapped_file name = "mingliub.ttc" filename = "\\Windows\\Fonts\\mingliub.ttc" (normalized: "c:\\windows\\fonts\\mingliub.ttc") Region: id = 1488 start_va = 0xe70000 end_va = 0x1730fff entry_point = 0xe70000 region_type = mapped_file name = "msgothic.ttc" filename = "\\Windows\\Fonts\\msgothic.ttc" (normalized: "c:\\windows\\fonts\\msgothic.ttc") Region: id = 1489 start_va = 0xe70000 end_va = 0x1807fff entry_point = 0xe70000 region_type = mapped_file name = "msmincho.ttc" filename = "\\Windows\\Fonts\\msmincho.ttc" (normalized: "c:\\windows\\fonts\\msmincho.ttc") Region: id = 1490 start_va = 0x3a0000 end_va = 0x41efff entry_point = 0x3a0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1491 start_va = 0x3a0000 end_va = 0x419fff entry_point = 0x3a0000 region_type = mapped_file name = "segoeuib.ttf" filename = "\\Windows\\Fonts\\segoeuib.ttf" (normalized: "c:\\windows\\fonts\\segoeuib.ttf") Region: id = 1492 start_va = 0xe70000 end_va = 0x1d0dfff entry_point = 0xe70000 region_type = mapped_file name = "simsun.ttc" filename = "\\Windows\\Fonts\\simsun.ttc" (normalized: "c:\\windows\\fonts\\simsun.ttc") Region: id = 1493 start_va = 0xe70000 end_va = 0x1d21fff entry_point = 0xe70000 region_type = mapped_file name = "simsunb.ttf" filename = "\\Windows\\Fonts\\simsunb.ttf" (normalized: "c:\\windows\\fonts\\simsunb.ttf") Region: id = 1494 start_va = 0xcd0000 end_va = 0xd7afff entry_point = 0xcd0000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 1495 start_va = 0xe30000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 1496 start_va = 0xcd0000 end_va = 0xd6ffff entry_point = 0xcd0000 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 1505 start_va = 0xe70000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 1506 start_va = 0x230000 end_va = 0x24ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1507 start_va = 0x75200000 end_va = 0x75203fff entry_point = 0x75200000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 1508 start_va = 0x160000 end_va = 0x166fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1509 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1510 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_arrow.cur" filename = "\\Windows\\Cursors\\aero_arrow.cur" (normalized: "c:\\windows\\cursors\\aero_arrow.cur") Region: id = 1511 start_va = 0x6e0000 end_va = 0xad2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1512 start_va = 0x3a0000 end_va = 0x3ddfff entry_point = 0x3a0000 region_type = mapped_file name = "aero_busy.ani" filename = "\\Windows\\Cursors\\aero_busy.ani" (normalized: "c:\\windows\\cursors\\aero_busy.ani") Region: id = 1513 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_up.cur" filename = "\\Windows\\Cursors\\aero_up.cur" (normalized: "c:\\windows\\cursors\\aero_up.cur") Region: id = 1514 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_nwse.cur" filename = "\\Windows\\Cursors\\aero_nwse.cur" (normalized: "c:\\windows\\cursors\\aero_nwse.cur") Region: id = 1515 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_nesw.cur" filename = "\\Windows\\Cursors\\aero_nesw.cur" (normalized: "c:\\windows\\cursors\\aero_nesw.cur") Region: id = 1516 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_ew.cur" filename = "\\Windows\\Cursors\\aero_ew.cur" (normalized: "c:\\windows\\cursors\\aero_ew.cur") Region: id = 1517 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_ns.cur" filename = "\\Windows\\Cursors\\aero_ns.cur" (normalized: "c:\\windows\\cursors\\aero_ns.cur") Region: id = 1518 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_move.cur" filename = "\\Windows\\Cursors\\aero_move.cur" (normalized: "c:\\windows\\cursors\\aero_move.cur") Region: id = 1519 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_unavail.cur" filename = "\\Windows\\Cursors\\aero_unavail.cur" (normalized: "c:\\windows\\cursors\\aero_unavail.cur") Region: id = 1520 start_va = 0x3a0000 end_va = 0x3ddfff entry_point = 0x3a0000 region_type = mapped_file name = "aero_working.ani" filename = "\\Windows\\Cursors\\aero_working.ani" (normalized: "c:\\windows\\cursors\\aero_working.ani") Region: id = 1521 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_helpsel.cur" filename = "\\Windows\\Cursors\\aero_helpsel.cur" (normalized: "c:\\windows\\cursors\\aero_helpsel.cur") Region: id = 1522 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_pen.cur" filename = "\\Windows\\Cursors\\aero_pen.cur" (normalized: "c:\\windows\\cursors\\aero_pen.cur") Region: id = 1523 start_va = 0x3a0000 end_va = 0x3a3fff entry_point = 0x3a0000 region_type = mapped_file name = "aero_link.cur" filename = "\\Windows\\Cursors\\aero_link.cur" (normalized: "c:\\windows\\cursors\\aero_link.cur") Region: id = 2092 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 2093 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2094 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 2336 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2337 start_va = 0xbb0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 2338 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2796 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2804 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2805 start_va = 0x73600000 end_va = 0x73607fff entry_point = 0x73600000 region_type = mapped_file name = "uxinit.dll" filename = "\\Windows\\System32\\UXInit.dll" (normalized: "c:\\windows\\system32\\uxinit.dll") Region: id = 2806 start_va = 0x74150000 end_va = 0x7418ffff entry_point = 0x74150000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2807 start_va = 0xe70000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 2808 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2809 start_va = 0x1090000 end_va = 0x135efff entry_point = 0x1090000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2810 start_va = 0xcd0000 end_va = 0xdedfff entry_point = 0xcd0000 region_type = mapped_file name = "aero.msstyles" filename = "\\Windows\\Resources\\Themes\\Aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles") Region: id = 2811 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2812 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2813 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2814 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2815 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2816 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2817 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2818 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2819 start_va = 0xe70000 end_va = 0xf8dfff entry_point = 0xe70000 region_type = mapped_file name = "aero.msstyles" filename = "\\Windows\\Resources\\Themes\\Aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles") Region: id = 2820 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 2821 start_va = 0x1360000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 2822 start_va = 0x73cf0000 end_va = 0x73deafff entry_point = 0x73cf0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 2823 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2824 start_va = 0xe70000 end_va = 0xf72fff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 2825 start_va = 0x3a0000 end_va = 0x3a0fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2826 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 2827 start_va = 0x1d60000 end_va = 0x275ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d60000" filename = "" Region: id = 2828 start_va = 0xe70000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 2835 start_va = 0xcd0000 end_va = 0xdaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 2838 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 2839 start_va = 0x1360000 end_va = 0x1f5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001360000" filename = "" Region: id = 3000 start_va = 0xce0000 end_va = 0xd1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 3001 start_va = 0x73bb0000 end_va = 0x73bbefff entry_point = 0x73bb0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3002 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 3003 start_va = 0x74ef0000 end_va = 0x74f1afff entry_point = 0x74ef0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 3004 start_va = 0x73bc0000 end_va = 0x73bc8fff entry_point = 0x73bc0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3031 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3032 start_va = 0xd20000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 3033 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3038 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 3042 start_va = 0x1f60000 end_va = 0x20fffff entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 3043 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3044 start_va = 0xdb0000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 3045 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3059 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3159 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3160 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3164 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3170 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3173 start_va = 0x72170000 end_va = 0x72173fff entry_point = 0x72170000 region_type = mapped_file name = "kbdus.dll" filename = "\\Windows\\System32\\KBDUS.DLL" (normalized: "c:\\windows\\system32\\kbdus.dll") Region: id = 3174 start_va = 0x160000 end_va = 0x166fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 3175 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 3176 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_arrow.cur" filename = "\\Windows\\Cursors\\aero_arrow.cur" (normalized: "c:\\windows\\cursors\\aero_arrow.cur") Region: id = 3177 start_va = 0x6e0000 end_va = 0xad2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 3178 start_va = 0x3f0000 end_va = 0x42dfff entry_point = 0x3f0000 region_type = mapped_file name = "aero_busy.ani" filename = "\\Windows\\Cursors\\aero_busy.ani" (normalized: "c:\\windows\\cursors\\aero_busy.ani") Region: id = 3179 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_up.cur" filename = "\\Windows\\Cursors\\aero_up.cur" (normalized: "c:\\windows\\cursors\\aero_up.cur") Region: id = 3180 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_nwse.cur" filename = "\\Windows\\Cursors\\aero_nwse.cur" (normalized: "c:\\windows\\cursors\\aero_nwse.cur") Region: id = 3181 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_nesw.cur" filename = "\\Windows\\Cursors\\aero_nesw.cur" (normalized: "c:\\windows\\cursors\\aero_nesw.cur") Region: id = 3182 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_ew.cur" filename = "\\Windows\\Cursors\\aero_ew.cur" (normalized: "c:\\windows\\cursors\\aero_ew.cur") Region: id = 3183 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_ns.cur" filename = "\\Windows\\Cursors\\aero_ns.cur" (normalized: "c:\\windows\\cursors\\aero_ns.cur") Region: id = 3184 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_move.cur" filename = "\\Windows\\Cursors\\aero_move.cur" (normalized: "c:\\windows\\cursors\\aero_move.cur") Region: id = 3185 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_unavail.cur" filename = "\\Windows\\Cursors\\aero_unavail.cur" (normalized: "c:\\windows\\cursors\\aero_unavail.cur") Region: id = 3186 start_va = 0x3f0000 end_va = 0x42dfff entry_point = 0x3f0000 region_type = mapped_file name = "aero_working.ani" filename = "\\Windows\\Cursors\\aero_working.ani" (normalized: "c:\\windows\\cursors\\aero_working.ani") Region: id = 3187 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_helpsel.cur" filename = "\\Windows\\Cursors\\aero_helpsel.cur" (normalized: "c:\\windows\\cursors\\aero_helpsel.cur") Region: id = 3188 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_pen.cur" filename = "\\Windows\\Cursors\\aero_pen.cur" (normalized: "c:\\windows\\cursors\\aero_pen.cur") Region: id = 3189 start_va = 0x3d0000 end_va = 0x3d3fff entry_point = 0x3d0000 region_type = mapped_file name = "aero_link.cur" filename = "\\Windows\\Cursors\\aero_link.cur" (normalized: "c:\\windows\\cursors\\aero_link.cur") Region: id = 3190 start_va = 0x1f60000 end_va = 0x203efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f60000" filename = "" Region: id = 3191 start_va = 0x20c0000 end_va = 0x20fffff entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 3192 start_va = 0x2100000 end_va = 0x228ffff entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 3196 start_va = 0x73610000 end_va = 0x73619fff entry_point = 0x73610000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 5244 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 5245 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 5289 start_va = 0x746b0000 end_va = 0x746c1fff entry_point = 0x746b0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Thread: id = 157 os_tid = 0x180 Thread: id = 166 os_tid = 0x1c8 Thread: id = 167 os_tid = 0x1cc Thread: id = 228 os_tid = 0x2c4 Thread: id = 248 os_tid = 0x314 Thread: id = 298 os_tid = 0x3f4 Thread: id = 299 os_tid = 0x3fc Thread: id = 309 os_tid = 0x418 Process: id = "17" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x7f1fa080" os_pid = "0x1a8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0x158" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1367 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1368 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1369 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1370 start_va = 0x620000 end_va = 0x660fff entry_point = 0x620000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 1371 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1372 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1373 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1374 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1375 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1377 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1439 start_va = 0x190000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1440 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1441 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1442 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1443 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1444 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1445 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1446 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1447 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1448 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1449 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1450 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1451 start_va = 0x2e0000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1452 start_va = 0x75240000 end_va = 0x7524efff entry_point = 0x75240000 region_type = mapped_file name = "scext.dll" filename = "\\Windows\\System32\\scext.dll" (normalized: "c:\\windows\\system32\\scext.dll") Region: id = 1524 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1525 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1526 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1527 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1528 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1529 start_va = 0x751c0000 end_va = 0x7520dfff entry_point = 0x751c0000 region_type = mapped_file name = "scesrv.dll" filename = "\\Windows\\System32\\scesrv.dll" (normalized: "c:\\windows\\system32\\scesrv.dll") Region: id = 1656 start_va = 0x74ae0000 end_va = 0x74af8fff entry_point = 0x74ae0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1657 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1658 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 1659 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 1660 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1661 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1662 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1663 start_va = 0xc0000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1664 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1665 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1666 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1667 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1668 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1669 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1670 start_va = 0x670000 end_va = 0xa62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 1671 start_va = 0xa70000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 1673 start_va = 0x1b0000 end_va = 0x1bcfff entry_point = 0x1b0000 region_type = mapped_file name = "tsusbflt.sys" filename = "\\Windows\\System32\\drivers\\TsUsbFlt.sys" (normalized: "c:\\windows\\system32\\drivers\\tsusbflt.sys") Region: id = 1674 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x1c0000 region_type = mapped_file name = "tsusbflt.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\tsusbflt.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\tsusbflt.sys.mui") Region: id = 1675 start_va = 0xa80000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 1676 start_va = 0xb90000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 1677 start_va = 0xbf0000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 1678 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1679 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1680 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1681 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1682 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1683 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1684 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1685 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1686 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1687 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1688 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1689 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1690 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1691 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1692 start_va = 0x74f90000 end_va = 0x74faafff entry_point = 0x74f90000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1693 start_va = 0x1b0000 end_va = 0x1b4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1695 start_va = 0x74aa0000 end_va = 0x74acbfff entry_point = 0x74aa0000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1696 start_va = 0x5e0000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1697 start_va = 0xc80000 end_va = 0xcbffff entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 1698 start_va = 0xcc0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 1699 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1700 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1701 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1702 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1706 start_va = 0x3d0000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 1707 start_va = 0xb30000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 1708 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1709 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1710 start_va = 0xe40000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 1711 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1712 start_va = 0xeb0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 1713 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1714 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1715 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1716 start_va = 0xcf0000 end_va = 0xd2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1717 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 1718 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 1840 start_va = 0x580000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1841 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 3024 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 3025 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 3165 start_va = 0x73cd0000 end_va = 0x73cdcfff entry_point = 0x73cd0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3166 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3606 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3607 start_va = 0xd70000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 3608 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 3609 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3610 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3611 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3612 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3613 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3614 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3615 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3639 start_va = 0x10e0000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 3640 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 3657 start_va = 0xfd0000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 3658 start_va = 0x1170000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 3659 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 3766 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3767 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3768 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3769 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3770 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3771 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3772 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3773 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3774 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3775 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3776 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3777 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3778 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3779 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3780 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3781 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3824 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3825 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3831 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3832 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3833 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3834 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3835 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3836 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3896 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3897 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3898 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3899 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3900 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3901 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3902 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3903 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3904 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3905 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3906 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3907 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3908 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3909 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4552 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4553 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4554 start_va = 0x11b0000 end_va = 0x147efff entry_point = 0x11b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4555 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4556 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 4558 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 4559 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4560 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4561 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4562 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4563 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 4564 start_va = 0x3c0000 end_va = 0x3c0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 4565 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 4566 start_va = 0x420000 end_va = 0x420fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 4567 start_va = 0x430000 end_va = 0x430fff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 4568 start_va = 0x440000 end_va = 0x440fff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4569 start_va = 0x450000 end_va = 0x450fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 4570 start_va = 0x5c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4571 start_va = 0x5d0000 end_va = 0x5d0fff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4572 start_va = 0xa70000 end_va = 0xa70fff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 4573 start_va = 0xac0000 end_va = 0xac0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 4574 start_va = 0xad0000 end_va = 0xad0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 4575 start_va = 0xae0000 end_va = 0xae0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 4576 start_va = 0xaf0000 end_va = 0xaf0fff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 4577 start_va = 0xb00000 end_va = 0xb00fff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 4578 start_va = 0xb10000 end_va = 0xb10fff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 4579 start_va = 0xb20000 end_va = 0xb20fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 4580 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4581 start_va = 0xb80000 end_va = 0xb80fff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 4582 start_va = 0xbd0000 end_va = 0xbd0fff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 4583 start_va = 0xbe0000 end_va = 0xbe0fff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 4584 start_va = 0xc30000 end_va = 0xc30fff entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 4585 start_va = 0xc40000 end_va = 0xc40fff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 4586 start_va = 0xc50000 end_va = 0xc50fff entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 4587 start_va = 0xc60000 end_va = 0xc60fff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 4588 start_va = 0xc70000 end_va = 0xc70fff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 4589 start_va = 0xcc0000 end_va = 0xcc0fff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 4590 start_va = 0xcd0000 end_va = 0xcd0fff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 4591 start_va = 0xce0000 end_va = 0xce0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 4592 start_va = 0xd30000 end_va = 0xd30fff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 4593 start_va = 0x1480000 end_va = 0x157ffff entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 4594 start_va = 0x1580000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 4595 start_va = 0x1680000 end_va = 0x187ffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Thread: id = 168 os_tid = 0x1ac Thread: id = 184 os_tid = 0x204 Thread: id = 185 os_tid = 0x208 Thread: id = 186 os_tid = 0x20c Thread: id = 187 os_tid = 0x210 Thread: id = 188 os_tid = 0x214 Thread: id = 189 os_tid = 0x218 Thread: id = 190 os_tid = 0x21c Thread: id = 191 os_tid = 0x220 Thread: id = 192 os_tid = 0x224 Thread: id = 193 os_tid = 0x228 Thread: id = 209 os_tid = 0x26c Thread: id = 302 os_tid = 0x3f8 Thread: id = 376 os_tid = 0x538 Thread: id = 381 os_tid = 0x550 Thread: id = 383 os_tid = 0x558 Process: id = "18" image_name = "lsass.exe" filename = "c:\\windows\\system32\\lsass.exe" page_root = "0x7f1fa0e0" os_pid = "0x1b0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0x158" cmd_line = "C:\\Windows\\system32\\lsass.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1378 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1379 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1380 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1381 start_va = 0xa00000 end_va = 0xa08fff entry_point = 0xa00000 region_type = mapped_file name = "lsass.exe" filename = "\\Windows\\System32\\lsass.exe" (normalized: "c:\\windows\\system32\\lsass.exe") Region: id = 1382 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1383 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1384 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1385 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1386 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1388 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1453 start_va = 0x90000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1454 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1455 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1456 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1457 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1458 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1459 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1460 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1461 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1462 start_va = 0x75230000 end_va = 0x75236fff entry_point = 0x75230000 region_type = mapped_file name = "sspisrv.dll" filename = "\\Windows\\System32\\sspisrv.dll" (normalized: "c:\\windows\\system32\\sspisrv.dll") Region: id = 1530 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1531 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1532 start_va = 0x2b0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 1533 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1534 start_va = 0x750c0000 end_va = 0x751bffff entry_point = 0x750c0000 region_type = mapped_file name = "lsasrv.dll" filename = "\\Windows\\System32\\lsasrv.dll" (normalized: "c:\\windows\\system32\\lsasrv.dll") Region: id = 1535 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1536 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1537 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1538 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1539 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1540 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1541 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1542 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1543 start_va = 0x75030000 end_va = 0x750bafff entry_point = 0x75030000 region_type = mapped_file name = "samsrv.dll" filename = "\\Windows\\System32\\samsrv.dll" (normalized: "c:\\windows\\system32\\samsrv.dll") Region: id = 1544 start_va = 0x75010000 end_va = 0x75020fff entry_point = 0x75010000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1545 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1546 start_va = 0x74fc0000 end_va = 0x75001fff entry_point = 0x74fc0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1547 start_va = 0x100000 end_va = 0x11cfff entry_point = 0x100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1548 start_va = 0x340000 end_va = 0x407fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1549 start_va = 0x100000 end_va = 0x11cfff entry_point = 0x100000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1550 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1551 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1557 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1558 start_va = 0x520000 end_va = 0x59ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1559 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1560 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1561 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1562 start_va = 0x5d0000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1563 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1564 start_va = 0x610000 end_va = 0x710fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1565 start_va = 0x610000 end_va = 0x710fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1566 start_va = 0x610000 end_va = 0x710fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1567 start_va = 0x610000 end_va = 0x710fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1568 start_va = 0x610000 end_va = 0x710fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1569 start_va = 0x130000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1570 start_va = 0x74fb0000 end_va = 0x74fb5fff entry_point = 0x74fb0000 region_type = mapped_file name = "cngaudit.dll" filename = "\\Windows\\System32\\cngaudit.dll" (normalized: "c:\\windows\\system32\\cngaudit.dll") Region: id = 1571 start_va = 0x74f90000 end_va = 0x74faafff entry_point = 0x74f90000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1572 start_va = 0x74f50000 end_va = 0x74f87fff entry_point = 0x74f50000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1573 start_va = 0x74f30000 end_va = 0x74f46fff entry_point = 0x74f30000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1574 start_va = 0x2f0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1575 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1576 start_va = 0x690000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1577 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1578 start_va = 0x240000 end_va = 0x246fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 1579 start_va = 0x250000 end_va = 0x251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1580 start_va = 0xa10000 end_va = 0xe02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 1581 start_va = 0x74f20000 end_va = 0x74f21fff entry_point = 0x74f20000 region_type = mapped_file name = "msprivs.dll" filename = "\\Windows\\System32\\msprivs.dll" (normalized: "c:\\windows\\system32\\msprivs.dll") Region: id = 1582 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1583 start_va = 0x74ef0000 end_va = 0x74f1afff entry_point = 0x74ef0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1584 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1585 start_va = 0x6d0000 end_va = 0x99efff entry_point = 0x6d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1586 start_va = 0x74ed0000 end_va = 0x74eeafff entry_point = 0x74ed0000 region_type = mapped_file name = "negoexts.dll" filename = "\\Windows\\System32\\negoexts.dll" (normalized: "c:\\windows\\system32\\negoexts.dll") Region: id = 1587 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1588 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1589 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1590 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1591 start_va = 0x74e40000 end_va = 0x74ec7fff entry_point = 0x74e40000 region_type = mapped_file name = "kerberos.dll" filename = "\\Windows\\System32\\kerberos.dll" (normalized: "c:\\windows\\system32\\kerberos.dll") Region: id = 1592 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1593 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1594 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1595 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1596 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1597 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1598 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1599 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1600 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1601 start_va = 0xe10000 end_va = 0xf10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1602 start_va = 0xe10000 end_va = 0xf10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1603 start_va = 0xe10000 end_va = 0xf10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1604 start_va = 0x74d80000 end_va = 0x74dc1fff entry_point = 0x74d80000 region_type = mapped_file name = "msv1_0.dll" filename = "\\Windows\\System32\\msv1_0.dll" (normalized: "c:\\windows\\system32\\msv1_0.dll") Region: id = 1605 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1606 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1607 start_va = 0x74cf0000 end_va = 0x74d7bfff entry_point = 0x74cf0000 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 1608 start_va = 0x74ca0000 end_va = 0x74ce3fff entry_point = 0x74ca0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1609 start_va = 0x74c70000 end_va = 0x74c91fff entry_point = 0x74c70000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1610 start_va = 0xe10000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1611 start_va = 0x74c30000 end_va = 0x74c69fff entry_point = 0x74c30000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1612 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1613 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1614 start_va = 0x74c00000 end_va = 0x74c2bfff entry_point = 0x74c00000 region_type = mapped_file name = "wdigest.dll" filename = "\\Windows\\System32\\wdigest.dll" (normalized: "c:\\windows\\system32\\wdigest.dll") Region: id = 1615 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1616 start_va = 0x5a0000 end_va = 0x5b0fff entry_point = 0x5a0000 region_type = mapped_file name = "c_28591.nls" filename = "\\Windows\\System32\\C_28591.NLS" (normalized: "c:\\windows\\system32\\c_28591.nls") Region: id = 1617 start_va = 0x610000 end_va = 0x64bfff entry_point = 0x610000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1618 start_va = 0x610000 end_va = 0x64bfff entry_point = 0x610000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1619 start_va = 0x610000 end_va = 0x64bfff entry_point = 0x610000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1620 start_va = 0x610000 end_va = 0x64bfff entry_point = 0x610000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1621 start_va = 0x610000 end_va = 0x64bfff entry_point = 0x610000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1622 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1623 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x5c0000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 1624 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x5c0000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 1625 start_va = 0x74ba0000 end_va = 0x74bb1fff entry_point = 0x74ba0000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 1626 start_va = 0x74b80000 end_va = 0x74b91fff entry_point = 0x74b80000 region_type = mapped_file name = "tspkg.dll" filename = "\\Windows\\System32\\TSpkg.dll" (normalized: "c:\\windows\\system32\\tspkg.dll") Region: id = 1627 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 1628 start_va = 0x74b40000 end_va = 0x74b73fff entry_point = 0x74b40000 region_type = mapped_file name = "pku2u.dll" filename = "\\Windows\\System32\\pku2u.dll" (normalized: "c:\\windows\\system32\\pku2u.dll") Region: id = 1629 start_va = 0x74b00000 end_va = 0x74b3cfff entry_point = 0x74b00000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1630 start_va = 0x5c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1631 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1632 start_va = 0x74bb0000 end_va = 0x74bbcfff entry_point = 0x74bb0000 region_type = mapped_file name = "efslsaext.dll" filename = "\\Windows\\System32\\efslsaext.dll" (normalized: "c:\\windows\\system32\\efslsaext.dll") Region: id = 1633 start_va = 0x610000 end_va = 0x610fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1634 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1635 start_va = 0x630000 end_va = 0x630fff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1636 start_va = 0x640000 end_va = 0x640fff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 1637 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 1638 start_va = 0x9b0000 end_va = 0x9b0fff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 1639 start_va = 0x9c0000 end_va = 0x9c0fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 1640 start_va = 0x9d0000 end_va = 0x9d0fff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 1641 start_va = 0x74ba0000 end_va = 0x74ba7fff entry_point = 0x74ba0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1642 start_va = 0xe10000 end_va = 0xf10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1643 start_va = 0xfd0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 1644 start_va = 0xe10000 end_va = 0xf10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1645 start_va = 0xe10000 end_va = 0xf10fff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1646 start_va = 0xe10000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1647 start_va = 0xf30000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 1648 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1649 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x9e0000 region_type = mapped_file name = "04ece708-132d-4bf0-a647-e3329269a012" filename = "\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\User\\04ece708-132d-4bf0-a647-e3329269a012" (normalized: "c:\\windows\\system32\\microsoft\\protect\\s-1-5-18\\user\\04ece708-132d-4bf0-a647-e3329269a012") Region: id = 1650 start_va = 0x1020000 end_va = 0x105ffff entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1651 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1652 start_va = 0x1190000 end_va = 0x11cffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 1653 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1654 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1694 start_va = 0x9f0000 end_va = 0x9f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 1724 start_va = 0x74a70000 end_va = 0x74a9dfff entry_point = 0x74a70000 region_type = mapped_file name = "scecli.dll" filename = "\\Windows\\System32\\scecli.dll" (normalized: "c:\\windows\\system32\\scecli.dll") Region: id = 1725 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1726 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1727 start_va = 0x10f0000 end_va = 0x112ffff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 1728 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1729 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1730 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1731 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1732 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1733 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1734 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1735 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1736 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1737 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1738 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1739 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1740 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1741 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1742 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2348 start_va = 0x10a0000 end_va = 0x10dffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 2349 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 2387 start_va = 0xf10000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 2396 start_va = 0x1110000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 2397 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 2764 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3034 start_va = 0x72230000 end_va = 0x7224bfff entry_point = 0x72230000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3035 start_va = 0x72220000 end_va = 0x72226fff entry_point = 0x72220000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3036 start_va = 0x50000 end_va = 0x50fff entry_point = 0x50000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 3037 start_va = 0x50000 end_va = 0x50fff entry_point = 0x50000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 3039 start_va = 0x11a0000 end_va = 0x11dffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 3040 start_va = 0x73bc0000 end_va = 0x73bc8fff entry_point = 0x73bc0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3041 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 3077 start_va = 0x749d0000 end_va = 0x749e6fff entry_point = 0x749d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3078 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Thread: id = 169 os_tid = 0x1b4 Thread: id = 173 os_tid = 0x1d8 Thread: id = 175 os_tid = 0x1e0 Thread: id = 176 os_tid = 0x1e4 Thread: id = 178 os_tid = 0x1e8 Thread: id = 179 os_tid = 0x1f0 Thread: id = 180 os_tid = 0x1f4 Thread: id = 181 os_tid = 0x1f8 Thread: id = 182 os_tid = 0x1fc Thread: id = 183 os_tid = 0x200 Thread: id = 195 os_tid = 0x230 Thread: id = 249 os_tid = 0x318 Thread: id = 253 os_tid = 0x328 Thread: id = 308 os_tid = 0x414 Thread: id = 327 os_tid = 0x464 Process: id = "19" image_name = "lsm.exe" filename = "c:\\windows\\system32\\lsm.exe" page_root = "0x7f1fa100" os_pid = "0x1bc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0x158" cmd_line = "C:\\Windows\\system32\\lsm.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1389 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1390 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1391 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1392 start_va = 0x2e0000 end_va = 0x323fff entry_point = 0x2e0000 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 1393 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1394 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1395 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1396 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 1397 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1401 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1463 start_va = 0xb0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1464 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1465 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1466 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1467 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1468 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1469 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1470 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1471 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1472 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1473 start_va = 0x75220000 end_va = 0x75226fff entry_point = 0x75220000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1655 start_va = 0x74ba0000 end_va = 0x74ba5fff entry_point = 0x74ba0000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 1672 start_va = 0x120000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 1720 start_va = 0x360000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1721 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1722 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1723 start_va = 0x3a0000 end_va = 0x66efff entry_point = 0x3a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1964 start_va = 0x700000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1965 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 2023 start_va = 0x870000 end_va = 0x8affff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 2024 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 2025 start_va = 0x74980000 end_va = 0x7498afff entry_point = 0x74980000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 2026 start_va = 0x740000 end_va = 0x7effff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 2027 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2028 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2029 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2030 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2031 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2032 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2033 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2034 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2035 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2036 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2037 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2038 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2039 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2040 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2041 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2046 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2047 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2048 start_va = 0x120000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2049 start_va = 0x180000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2050 start_va = 0x680000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2051 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2052 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 2057 start_va = 0x8b0000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 2058 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 2073 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 2074 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2075 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 2076 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 2077 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2346 start_va = 0xb00000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2347 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 3161 start_va = 0x160000 end_va = 0x166fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 3162 start_va = 0x170000 end_va = 0x171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 3163 start_va = 0x190000 end_va = 0x191fff entry_point = 0x190000 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Thread: id = 170 os_tid = 0x1c0 Thread: id = 194 os_tid = 0x22c Thread: id = 225 os_tid = 0x2b4 Thread: id = 227 os_tid = 0x2bc Thread: id = 232 os_tid = 0x2d0 Thread: id = 233 os_tid = 0x2d4 Thread: id = 234 os_tid = 0x2d8 Thread: id = 235 os_tid = 0x2dc Thread: id = 238 os_tid = 0x2e8 Thread: id = 240 os_tid = 0x2f0 Process: id = "20" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa120" os_pid = "0x234" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:00006913" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1743 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1744 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1745 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1746 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1747 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1748 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1749 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1750 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1751 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1754 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1755 start_va = 0x130000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1756 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1757 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1758 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1759 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1760 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1761 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1762 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1763 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1764 start_va = 0x130000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1765 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1766 start_va = 0x270000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1767 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 1768 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1769 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1770 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1771 start_va = 0x220000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1772 start_va = 0x410000 end_va = 0x6defff entry_point = 0x410000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1773 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1774 start_va = 0x74a20000 end_va = 0x74a68fff entry_point = 0x74a20000 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 1775 start_va = 0x74a00000 end_va = 0x74a14fff entry_point = 0x74a00000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 1776 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1777 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1778 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1779 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1780 start_va = 0x749f0000 end_va = 0x749fdfff entry_point = 0x749f0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1781 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1782 start_va = 0x6e0000 end_va = 0x7a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1783 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1784 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1785 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1786 start_va = 0x7b0000 end_va = 0x8b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 1787 start_va = 0x8c0000 end_va = 0x93ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 1788 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1789 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1790 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1791 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1792 start_va = 0x940000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 1793 start_va = 0xaf0000 end_va = 0xee2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 1794 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1795 start_va = 0x1e0000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1796 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1797 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1798 start_va = 0x749d0000 end_va = 0x749e6fff entry_point = 0x749d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1799 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1800 start_va = 0x749b0000 end_va = 0x749c5fff entry_point = 0x749b0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1801 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1802 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1803 start_va = 0x9a0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 1804 start_va = 0x9e0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 1805 start_va = 0xaa0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 1806 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1807 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1808 start_va = 0x960000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 1809 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1810 start_va = 0x74990000 end_va = 0x749affff entry_point = 0x74990000 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 1811 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1812 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1813 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1814 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1815 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1816 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1817 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1818 start_va = 0x74980000 end_va = 0x7498afff entry_point = 0x74980000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1819 start_va = 0xef0000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 1820 start_va = 0xef0000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 1821 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 1822 start_va = 0x10c0000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 1823 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1824 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1825 start_va = 0x74950000 end_va = 0x74974fff entry_point = 0x74950000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1826 start_va = 0x220000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1827 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 1828 start_va = 0x74920000 end_va = 0x74944fff entry_point = 0x74920000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1829 start_va = 0x74950000 end_va = 0x74974fff entry_point = 0x74950000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1830 start_va = 0x74920000 end_va = 0x74944fff entry_point = 0x74920000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1831 start_va = 0x74950000 end_va = 0x74974fff entry_point = 0x74950000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1832 start_va = 0x74920000 end_va = 0x74944fff entry_point = 0x74920000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1833 start_va = 0x74950000 end_va = 0x74974fff entry_point = 0x74950000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1834 start_va = 0xa10000 end_va = 0xa4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 1835 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 1836 start_va = 0x74920000 end_va = 0x74944fff entry_point = 0x74920000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1837 start_va = 0x74950000 end_va = 0x74974fff entry_point = 0x74950000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1838 start_va = 0x74920000 end_va = 0x74944fff entry_point = 0x74920000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1839 start_va = 0x74950000 end_va = 0x74974fff entry_point = 0x74950000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1853 start_va = 0xf30000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 1854 start_va = 0x74920000 end_va = 0x7497efff entry_point = 0x74920000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1855 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 1867 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1868 start_va = 0xa50000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 1869 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 1870 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1871 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1872 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1873 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1874 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1875 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1876 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1877 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1878 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1879 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1880 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1881 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1998 start_va = 0x1110000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 1999 start_va = 0x1180000 end_va = 0x11bffff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 2000 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 2017 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2018 start_va = 0x2b0000 end_va = 0x2c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2990 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2991 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2992 start_va = 0x11c0000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 2993 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 3049 start_va = 0x12c0000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4436 start_va = 0x74730000 end_va = 0x74750fff entry_point = 0x74730000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4437 start_va = 0x77370000 end_va = 0x773b4fff entry_point = 0x77370000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 4443 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 4444 start_va = 0x70cf0000 end_va = 0x70d12fff entry_point = 0x70cf0000 region_type = mapped_file name = "wmidcprv.dll" filename = "\\Windows\\System32\\wbem\\WmiDcPrv.dll" (normalized: "c:\\windows\\system32\\wbem\\wmidcprv.dll") Region: id = 4445 start_va = 0x70c50000 end_va = 0x70ce5fff entry_point = 0x70c50000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 4446 start_va = 0x70e20000 end_va = 0x70e7bfff entry_point = 0x70e20000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 4447 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4448 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4449 start_va = 0x70c30000 end_va = 0x70c47fff entry_point = 0x70c30000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4452 start_va = 0x13c0000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 4453 start_va = 0x70c20000 end_va = 0x70c29fff entry_point = 0x70c20000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 4462 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4463 start_va = 0xf30000 end_va = 0xf6bfff entry_point = 0xf30000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4464 start_va = 0xf30000 end_va = 0xf6bfff entry_point = 0xf30000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4465 start_va = 0xf30000 end_va = 0xf6bfff entry_point = 0xf30000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4466 start_va = 0xf30000 end_va = 0xf6bfff entry_point = 0xf30000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4467 start_va = 0xf30000 end_va = 0xf6bfff entry_point = 0xf30000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4468 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4531 start_va = 0x1060000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 4532 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 4533 start_va = 0x709a0000 end_va = 0x709aefff entry_point = 0x709a0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 4642 start_va = 0x14d0000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 4643 start_va = 0x1520000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 4644 start_va = 0x1560000 end_va = 0x18c4fff entry_point = 0x1560000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4645 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 4646 start_va = 0x1560000 end_va = 0x18c4fff entry_point = 0x1560000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4773 start_va = 0xfe0000 end_va = 0x101ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 4774 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 5120 start_va = 0x70930000 end_va = 0x70946fff entry_point = 0x70930000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 5133 start_va = 0x13c0000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 5162 start_va = 0x160000 end_va = 0x16bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 5247 start_va = 0x755a0000 end_va = 0x755ccfff entry_point = 0x755a0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 5248 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 5249 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Thread: id = 196 os_tid = 0x238 Thread: id = 197 os_tid = 0x23c Thread: id = 198 os_tid = 0x240 Thread: id = 199 os_tid = 0x244 Thread: id = 200 os_tid = 0x248 Thread: id = 201 os_tid = 0x24c Thread: id = 202 os_tid = 0x250 Thread: id = 203 os_tid = 0x254 Thread: id = 204 os_tid = 0x258 Thread: id = 205 os_tid = 0x25c Thread: id = 206 os_tid = 0x260 Thread: id = 207 os_tid = 0x264 Thread: id = 208 os_tid = 0x268 Thread: id = 211 os_tid = 0x274 Thread: id = 213 os_tid = 0x280 Thread: id = 214 os_tid = 0x284 Thread: id = 216 os_tid = 0x28c Thread: id = 456 os_tid = 0x688 Thread: id = 475 os_tid = 0x6d8 Thread: id = 484 os_tid = 0x708 Process: id = "21" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa140" os_pid = "0x278" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ac1e" [0xc000000f], "LOCAL" [0x7] Region: id = 1843 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1844 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1845 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1846 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1847 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1848 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1849 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1850 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1851 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1852 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1856 start_va = 0xd0000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1857 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1858 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1859 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1860 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1861 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1862 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1863 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1864 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1865 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1866 start_va = 0x340000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1882 start_va = 0x340000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1883 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 1884 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1885 start_va = 0x4c0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1886 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1887 start_va = 0x400000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1888 start_va = 0x500000 end_va = 0x7cefff entry_point = 0x500000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1889 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1890 start_va = 0x74910000 end_va = 0x7491dfff entry_point = 0x74910000 region_type = mapped_file name = "rpcepmap.dll" filename = "\\Windows\\System32\\RpcEpMap.dll" (normalized: "c:\\windows\\system32\\rpcepmap.dll") Region: id = 1891 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1892 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1893 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1894 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1895 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1896 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1897 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1898 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1899 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1900 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1901 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1902 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1903 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1904 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1905 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1906 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1907 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1908 start_va = 0x480000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1909 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1910 start_va = 0x3f0000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1911 start_va = 0x74920000 end_va = 0x7497efff entry_point = 0x74920000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1912 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1913 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1914 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1915 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1916 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1917 start_va = 0x50000 end_va = 0x8bfff entry_point = 0x50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1918 start_va = 0x50000 end_va = 0x8bfff entry_point = 0x50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1919 start_va = 0x50000 end_va = 0x8bfff entry_point = 0x50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1920 start_va = 0x50000 end_va = 0x8bfff entry_point = 0x50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1921 start_va = 0x50000 end_va = 0x8bfff entry_point = 0x50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1922 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1923 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1924 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1925 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1926 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1927 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1928 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1929 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1930 start_va = 0x50000 end_va = 0x6cfff entry_point = 0x50000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1931 start_va = 0x7d0000 end_va = 0x897fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1932 start_va = 0x50000 end_va = 0x6cfff entry_point = 0x50000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1933 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1934 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1935 start_va = 0x8a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 1936 start_va = 0x9b0000 end_va = 0xa2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 1937 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1938 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1939 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1940 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1941 start_va = 0xaf0000 end_va = 0xee2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 1942 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1943 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1944 start_va = 0x748f0000 end_va = 0x748f5fff entry_point = 0x748f0000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 1945 start_va = 0x748e0000 end_va = 0x748e5fff entry_point = 0x748e0000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 1946 start_va = 0x748f0000 end_va = 0x748f5fff entry_point = 0x748f0000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 1947 start_va = 0x748e0000 end_va = 0x748e5fff entry_point = 0x748e0000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 2016 start_va = 0x74880000 end_va = 0x748f5fff entry_point = 0x74880000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2019 start_va = 0x74870000 end_va = 0x74878fff entry_point = 0x74870000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2667 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 2668 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2669 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2670 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2671 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 3057 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 3058 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 3867 start_va = 0x71d20000 end_va = 0x71d57fff entry_point = 0x71d20000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3868 start_va = 0xf40000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4782 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 4783 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 4796 start_va = 0xf40000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4797 start_va = 0x10c0000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 4798 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4821 start_va = 0xf80000 end_va = 0x107ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Thread: id = 212 os_tid = 0x27c Thread: id = 215 os_tid = 0x288 Thread: id = 217 os_tid = 0x290 Thread: id = 218 os_tid = 0x294 Thread: id = 219 os_tid = 0x298 Thread: id = 220 os_tid = 0x29c Thread: id = 221 os_tid = 0x2a0 Thread: id = 222 os_tid = 0x2a4 Thread: id = 303 os_tid = 0x400 Thread: id = 495 os_tid = 0x734 Thread: id = 498 os_tid = 0x740 Process: id = "22" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa160" os_pid = "0x2a8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000af09" [0xc000000f], "LOCAL" [0x7] Region: id = 1948 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1949 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1950 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1951 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1952 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1953 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1954 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1955 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1956 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1957 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1966 start_va = 0x1f0000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1967 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1968 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1969 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1970 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1971 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1972 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1973 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1974 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1975 start_va = 0x440000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1976 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1977 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1978 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1979 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1980 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1981 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1982 start_va = 0x190000 end_va = 0x1acfff entry_point = 0x190000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1983 start_va = 0x190000 end_va = 0x1acfff entry_point = 0x190000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1984 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1985 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1986 start_va = 0x1f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1987 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1988 start_va = 0x440000 end_va = 0x4bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1989 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1990 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1991 start_va = 0x190000 end_va = 0x191fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1992 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1993 start_va = 0x300000 end_va = 0x300fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1994 start_va = 0x4c0000 end_va = 0x51bfff entry_point = 0x4c0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1995 start_va = 0x5a0000 end_va = 0x992fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1996 start_va = 0x4c0000 end_va = 0x51bfff entry_point = 0x4c0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1997 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2020 start_va = 0x4c0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2021 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 2022 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2042 start_va = 0xa00000 end_va = 0xa3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 2043 start_va = 0xaa0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 2044 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 2045 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 2053 start_va = 0xa50000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 2054 start_va = 0xaf0000 end_va = 0xdbefff entry_point = 0xaf0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2055 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2056 start_va = 0x74760000 end_va = 0x7486bfff entry_point = 0x74760000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 2059 start_va = 0x500000 end_va = 0x557fff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2060 start_va = 0x310000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2061 start_va = 0xdc0000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 2062 start_va = 0xff0000 end_va = 0x102ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2063 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 2064 start_va = 0x330000 end_va = 0x330fff entry_point = 0x330000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2065 start_va = 0x330000 end_va = 0x330fff entry_point = 0x330000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2066 start_va = 0xf10000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 2067 start_va = 0x74fc0000 end_va = 0x75001fff entry_point = 0x74fc0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2068 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 2069 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2070 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2071 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2072 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2078 start_va = 0x74730000 end_va = 0x74754fff entry_point = 0x74730000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2079 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2080 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2081 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2082 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2083 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2084 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2085 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2086 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2087 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2088 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2089 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2090 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2091 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2116 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2392 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2393 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2394 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2395 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2406 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2417 start_va = 0x749b0000 end_va = 0x749c5fff entry_point = 0x749b0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2450 start_va = 0x9c0000 end_va = 0x9fffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 2451 start_va = 0x73970000 end_va = 0x73994fff entry_point = 0x73970000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2452 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 2453 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2454 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2455 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2456 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2457 start_va = 0x1080000 end_va = 0x10bffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 2458 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 2480 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2481 start_va = 0xf50000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 2482 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 2483 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2484 start_va = 0x1210000 end_va = 0x124ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 2485 start_va = 0x74730000 end_va = 0x74750fff entry_point = 0x74730000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2486 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 2527 start_va = 0x77370000 end_va = 0x773b4fff entry_point = 0x77370000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2528 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2529 start_va = 0x500000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2530 start_va = 0x550000 end_va = 0x557fff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 2531 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2532 start_va = 0x520000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2533 start_va = 0xec0000 end_va = 0xef3fff entry_point = 0xec0000 region_type = mapped_file name = "fltmgr.sys" filename = "\\Windows\\System32\\drivers\\fltMgr.sys" (normalized: "c:\\windows\\system32\\drivers\\fltmgr.sys") Region: id = 2537 start_va = 0x40960000 end_va = 0x40970fff entry_point = 0x40960000 region_type = mapped_file name = "pshed.dll" filename = "\\Windows\\System32\\PSHED.DLL" (normalized: "c:\\windows\\system32\\pshed.dll") Region: id = 2538 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2539 start_va = 0x1170000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 2540 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 2548 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2549 start_va = 0x560000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 2563 start_va = 0x73810000 end_va = 0x738b6fff entry_point = 0x73810000 region_type = mapped_file name = "adtschema.dll" filename = "\\Windows\\System32\\adtschema.dll" (normalized: "c:\\windows\\system32\\adtschema.dll") Region: id = 2564 start_va = 0x1250000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 2572 start_va = 0x738b0000 end_va = 0x738bdfff entry_point = 0x738b0000 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-power-events.dll") Region: id = 2573 start_va = 0x738b0000 end_va = 0x738b6fff entry_point = 0x738b0000 region_type = mapped_file name = "microsoft-windows-kernel-processor-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-processor-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-processor-power-events.dll") Region: id = 2574 start_va = 0xa40000 end_va = 0xa80fff entry_point = 0xa40000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 2575 start_va = 0x74a20000 end_va = 0x74a68fff entry_point = 0x74a20000 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 2576 start_va = 0x11c0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 2577 start_va = 0x73920000 end_va = 0x73999fff entry_point = 0x73920000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2578 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2579 start_va = 0x738f0000 end_va = 0x73914fff entry_point = 0x738f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2580 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2581 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2582 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2583 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2584 start_va = 0x73e40000 end_va = 0x73e78fff entry_point = 0x73e40000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2585 start_va = 0x74190000 end_va = 0x74284fff entry_point = 0x74190000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2586 start_va = 0x738e0000 end_va = 0x738e6fff entry_point = 0x738e0000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2587 start_va = 0x1350000 end_va = 0x144ffff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 2588 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 2589 start_va = 0x14e0000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 2590 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 2591 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2592 start_va = 0x540000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 2637 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 2638 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2642 start_va = 0x580000 end_va = 0x580fff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2643 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 2644 start_va = 0x14a0000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 2645 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 2650 start_va = 0x9b0000 end_va = 0x9b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 2651 start_va = 0x1100000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 2652 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 2999 start_va = 0x73760000 end_va = 0x737f2fff entry_point = 0x73760000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 3005 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3068 start_va = 0x720e0000 end_va = 0x7221dfff entry_point = 0x720e0000 region_type = mapped_file name = "comres.dll" filename = "\\Windows\\System32\\comres.dll" (normalized: "c:\\windows\\system32\\comres.dll") Region: id = 3155 start_va = 0xec0000 end_va = 0xf07fff entry_point = 0xec0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 3156 start_va = 0x73720000 end_va = 0x7374afff entry_point = 0x73720000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 3157 start_va = 0x73830000 end_va = 0x738b7fff entry_point = 0x73830000 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3266 start_va = 0xec0000 end_va = 0xf07fff entry_point = 0xec0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 3267 start_va = 0x1460000 end_va = 0x149ffff entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 3268 start_va = 0x72140000 end_va = 0x72147fff entry_point = 0x72140000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 3269 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 3280 start_va = 0x72230000 end_va = 0x7224bfff entry_point = 0x72230000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3281 start_va = 0x72220000 end_va = 0x72226fff entry_point = 0x72220000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3282 start_va = 0x720f0000 end_va = 0x720f5fff entry_point = 0x720f0000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 3323 start_va = 0x1510000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 3324 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 3336 start_va = 0x1560000 end_va = 0x159ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 3337 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 3338 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 3384 start_va = 0x74ca0000 end_va = 0x74ce3fff entry_point = 0x74ca0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3385 start_va = 0x15a0000 end_va = 0x16affff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 3386 start_va = 0x16b0000 end_va = 0x18affff entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 3387 start_va = 0x1030000 end_va = 0x1073fff entry_point = 0x1030000 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3388 start_va = 0x74880000 end_va = 0x748f5fff entry_point = 0x74880000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3389 start_va = 0x74870000 end_va = 0x74878fff entry_point = 0x74870000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3392 start_va = 0x71d90000 end_va = 0x71dc0fff entry_point = 0x71d90000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 3395 start_va = 0x1620000 end_va = 0x165ffff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 3396 start_va = 0x1670000 end_va = 0x16affff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 3397 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 3402 start_va = 0x73830000 end_va = 0x738b7fff entry_point = 0x73830000 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3427 start_va = 0x1070000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 3428 start_va = 0x1900000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 3429 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 3430 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 3431 start_va = 0x71d10000 end_va = 0x71d1cfff entry_point = 0x71d10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3432 start_va = 0x71cf0000 end_va = 0x71d01fff entry_point = 0x71cf0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3489 start_va = 0xa90000 end_va = 0xa90fff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 4461 start_va = 0x70c10000 end_va = 0x70c12fff entry_point = 0x70c10000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 4725 start_va = 0x18b0000 end_va = 0x1bbafff entry_point = 0x18b0000 region_type = mapped_file name = "sppsvc.exe" filename = "\\Windows\\System32\\sppsvc.exe" (normalized: "c:\\windows\\system32\\sppsvc.exe") Region: id = 4830 start_va = 0x18b0000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 4938 start_va = 0x70410000 end_va = 0x70427fff entry_point = 0x70410000 region_type = mapped_file name = "radardt.dll" filename = "\\Windows\\System32\\radardt.dll" (normalized: "c:\\windows\\system32\\radardt.dll") Region: id = 5020 start_va = 0x70870000 end_va = 0x708c9fff entry_point = 0x70870000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 5113 start_va = 0x70330000 end_va = 0x70332fff entry_point = 0x70330000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 5189 start_va = 0x1cb0000 end_va = 0x1fbafff entry_point = 0x1cb0000 region_type = mapped_file name = "sppsvc.exe" filename = "\\Windows\\System32\\sppsvc.exe" (normalized: "c:\\windows\\system32\\sppsvc.exe") Region: id = 5269 start_va = 0xa90000 end_va = 0xa91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Thread: id = 224 os_tid = 0x2ac Thread: id = 226 os_tid = 0x2b8 Thread: id = 229 os_tid = 0x2c0 Thread: id = 230 os_tid = 0x2c8 Thread: id = 231 os_tid = 0x2cc Thread: id = 236 os_tid = 0x2e0 Thread: id = 237 os_tid = 0x2e4 Thread: id = 255 os_tid = 0x334 Thread: id = 257 os_tid = 0x33c Thread: id = 262 os_tid = 0x354 Thread: id = 263 os_tid = 0x358 Thread: id = 266 os_tid = 0x364 Thread: id = 275 os_tid = 0x388 Thread: id = 276 os_tid = 0x38c Thread: id = 277 os_tid = 0x390 Thread: id = 280 os_tid = 0x3a0 Thread: id = 282 os_tid = 0x3a8 Thread: id = 330 os_tid = 0x478 Thread: id = 335 os_tid = 0x490 Thread: id = 339 os_tid = 0x4a4 Thread: id = 343 os_tid = 0x4b8 Thread: id = 348 os_tid = 0x4cc Thread: id = 349 os_tid = 0x4d0 Process: id = "23" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x7f1fa180" os_pid = "0x2f4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0x17c" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 2105 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2106 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2107 start_va = 0x100000 end_va = 0x105fff entry_point = 0x100000 region_type = mapped_file name = "logonui.exe" filename = "\\Windows\\System32\\LogonUI.exe" (normalized: "c:\\windows\\system32\\logonui.exe") Region: id = 2108 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2109 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2110 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2111 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2112 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 2113 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 2115 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2117 start_va = 0x190000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2118 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2119 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2120 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2121 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 2122 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2123 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2124 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2125 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2126 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2127 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2128 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2129 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2130 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2131 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2132 start_va = 0x2a0000 end_va = 0x367fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2133 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2134 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2135 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2136 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2137 start_va = 0xc0000 end_va = 0xdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2138 start_va = 0x3a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 2139 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2140 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2141 start_va = 0x4b0000 end_va = 0x50bfff entry_point = 0x4b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2142 start_va = 0x4b0000 end_va = 0x50bfff entry_point = 0x4b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2143 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2144 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2145 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2146 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2147 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2148 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2149 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 2150 start_va = 0x74570000 end_va = 0x74726fff entry_point = 0x74570000 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 2153 start_va = 0x120000 end_va = 0x121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2154 start_va = 0x74470000 end_va = 0x74567fff entry_point = 0x74470000 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 2156 start_va = 0x130000 end_va = 0x131fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2157 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2158 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2159 start_va = 0x742d0000 end_va = 0x7446dfff entry_point = 0x742d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 2160 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2161 start_va = 0x140000 end_va = 0x140fff entry_point = 0x140000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2164 start_va = 0x190000 end_va = 0x191fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2165 start_va = 0x1a0000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2166 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 2167 start_va = 0x742b0000 end_va = 0x742cdfff entry_point = 0x742b0000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 2168 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 2169 start_va = 0x74290000 end_va = 0x742a1fff entry_point = 0x74290000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 2170 start_va = 0x700000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 2171 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 2173 start_va = 0x74190000 end_va = 0x74284fff entry_point = 0x74190000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2174 start_va = 0x740000 end_va = 0xa0efff entry_point = 0x740000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2175 start_va = 0x74150000 end_va = 0x7418ffff entry_point = 0x74150000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2176 start_va = 0x570000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2177 start_va = 0x73fc0000 end_va = 0x7414ffff entry_point = 0x73fc0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 2178 start_va = 0xa10000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 2179 start_va = 0x73f00000 end_va = 0x73fb1fff entry_point = 0x73f00000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 2181 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2182 start_va = 0x370000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 2183 start_va = 0x73ed0000 end_va = 0x73efefff entry_point = 0x73ed0000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 2184 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2185 start_va = 0xb30000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 2186 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 2187 start_va = 0x4b0000 end_va = 0x4b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 2188 start_va = 0x4c0000 end_va = 0x4c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 2189 start_va = 0xb40000 end_va = 0xf32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 2190 start_va = 0x73e90000 end_va = 0x73ec7fff entry_point = 0x73e90000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 2192 start_va = 0x4d0000 end_va = 0x4d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 2193 start_va = 0x73e80000 end_va = 0x73e88fff entry_point = 0x73e80000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 2194 start_va = 0xf40000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 2195 start_va = 0x73e40000 end_va = 0x73e78fff entry_point = 0x73e40000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2196 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2197 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2198 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2199 start_va = 0x73e20000 end_va = 0x73e32fff entry_point = 0x73e20000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2200 start_va = 0x570000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2201 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2202 start_va = 0x73df0000 end_va = 0x73e1efff entry_point = 0x73df0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2203 start_va = 0x4f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2204 start_va = 0x500000 end_va = 0x500fff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2205 start_va = 0x510000 end_va = 0x510fff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2206 start_va = 0x520000 end_va = 0x520fff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2207 start_va = 0x5f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2208 start_va = 0x600000 end_va = 0x600fff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2209 start_va = 0x650000 end_va = 0x650fff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 2210 start_va = 0x660000 end_va = 0x660fff entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 2211 start_va = 0x670000 end_va = 0x670fff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 2212 start_va = 0x680000 end_va = 0x680fff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2213 start_va = 0x690000 end_va = 0x690fff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2214 start_va = 0x6a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 2215 start_va = 0x6b0000 end_va = 0x6b0fff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2216 start_va = 0x6c0000 end_va = 0x6c0fff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2217 start_va = 0x6d0000 end_va = 0x6d0fff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2218 start_va = 0x6e0000 end_va = 0x6e0fff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 2219 start_va = 0x6f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 2220 start_va = 0xa10000 end_va = 0xa10fff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 2221 start_va = 0xa20000 end_va = 0xa20fff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 2222 start_va = 0xa70000 end_va = 0xa70fff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 2223 start_va = 0xa80000 end_va = 0xa80fff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 2224 start_va = 0xa90000 end_va = 0xa90fff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 2225 start_va = 0xaa0000 end_va = 0xaa0fff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 2226 start_va = 0xab0000 end_va = 0xab0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 2227 start_va = 0xac0000 end_va = 0xac0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 2228 start_va = 0xad0000 end_va = 0xad0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 2229 start_va = 0xae0000 end_va = 0xae0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 2230 start_va = 0xaf0000 end_va = 0xaf0fff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 2231 start_va = 0xb00000 end_va = 0xb00fff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2232 start_va = 0xb10000 end_va = 0xb10fff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 2233 start_va = 0xb20000 end_va = 0xb20fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 2234 start_va = 0x1040000 end_va = 0x1040fff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 2235 start_va = 0x1050000 end_va = 0x1050fff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2236 start_va = 0x1060000 end_va = 0x1060fff entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 2237 start_va = 0x1070000 end_va = 0x1070fff entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 2238 start_va = 0x1080000 end_va = 0x1080fff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 2239 start_va = 0x1090000 end_va = 0x1096fff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2240 start_va = 0x10a0000 end_va = 0x10a9fff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 2241 start_va = 0x10b0000 end_va = 0x10b6fff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 2242 start_va = 0x10c0000 end_va = 0x10e3fff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 2243 start_va = 0x10f0000 end_va = 0x10f9fff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 2244 start_va = 0x1100000 end_va = 0x1106fff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 2245 start_va = 0x1130000 end_va = 0x1167fff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 2246 start_va = 0x1110000 end_va = 0x1119fff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 2247 start_va = 0x1120000 end_va = 0x1126fff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 2248 start_va = 0x1170000 end_va = 0x1179fff entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 2249 start_va = 0x1180000 end_va = 0x1180fff entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 2250 start_va = 0x1190000 end_va = 0x1190fff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 2251 start_va = 0x11a0000 end_va = 0x11a0fff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 2252 start_va = 0x11b0000 end_va = 0x11b0fff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 2253 start_va = 0x11c0000 end_va = 0x11c0fff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 2254 start_va = 0x11d0000 end_va = 0x11d1fff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 2255 start_va = 0x11e0000 end_va = 0x11e0fff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 2256 start_va = 0x11f0000 end_va = 0x11f1fff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 2257 start_va = 0x1200000 end_va = 0x1200fff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2258 start_va = 0x1210000 end_va = 0x1211fff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 2259 start_va = 0x1220000 end_va = 0x1220fff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 2260 start_va = 0x1230000 end_va = 0x1231fff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 2261 start_va = 0x1240000 end_va = 0x1240fff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 2262 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 2263 start_va = 0x1260000 end_va = 0x1260fff entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 2264 start_va = 0x1270000 end_va = 0x1270fff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 2265 start_va = 0x1280000 end_va = 0x1280fff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 2266 start_va = 0x1290000 end_va = 0x1290fff entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 2267 start_va = 0x12a0000 end_va = 0x12a0fff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 2268 start_va = 0x12b0000 end_va = 0x12b0fff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 2269 start_va = 0x12c0000 end_va = 0x12c0fff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 2270 start_va = 0x12d0000 end_va = 0x12d0fff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 2271 start_va = 0x12e0000 end_va = 0x12e0fff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 2272 start_va = 0x12f0000 end_va = 0x12f0fff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 2273 start_va = 0x1300000 end_va = 0x1300fff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 2274 start_va = 0x1310000 end_va = 0x1310fff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 2275 start_va = 0x1320000 end_va = 0x1320fff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 2276 start_va = 0x1330000 end_va = 0x1330fff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 2277 start_va = 0x1340000 end_va = 0x1340fff entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 2278 start_va = 0x1350000 end_va = 0x1350fff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 2279 start_va = 0x1360000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 2280 start_va = 0x1460000 end_va = 0x27b4fff entry_point = 0x1460000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2281 start_va = 0x73cf0000 end_va = 0x73deafff entry_point = 0x73cf0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 2282 start_va = 0x4e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2283 start_va = 0x27c0000 end_va = 0x27c0fff entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 2284 start_va = 0x27d0000 end_va = 0x2cc1fff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 2285 start_va = 0x2cd0000 end_va = 0x31c1fff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 2286 start_va = 0x31d0000 end_va = 0x32cffff entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 2287 start_va = 0x32d0000 end_va = 0x32d1fff entry_point = 0x0 region_type = private name = "private_0x00000000032d0000" filename = "" Region: id = 2288 start_va = 0x2cd0000 end_va = 0x31c1fff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 2289 start_va = 0x32e0000 end_va = 0x37d1fff entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 2290 start_va = 0x37e0000 end_va = 0x3cd1fff entry_point = 0x0 region_type = private name = "private_0x00000000037e0000" filename = "" Region: id = 2291 start_va = 0x73ce0000 end_va = 0x73ce6fff entry_point = 0x73ce0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 2292 start_va = 0x27d0000 end_va = 0x2897fff entry_point = 0x27d0000 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 2293 start_va = 0x27d0000 end_va = 0x2897fff entry_point = 0x27d0000 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 2294 start_va = 0x28a0000 end_va = 0x28b1fff entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 2295 start_va = 0x27d0000 end_va = 0x27e1fff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 2296 start_va = 0x2850000 end_va = 0x288ffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 2297 start_va = 0x29b0000 end_va = 0x29effff entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 2298 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2299 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 2300 start_va = 0x73cd0000 end_va = 0x73cdcfff entry_point = 0x73cd0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2301 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2302 start_va = 0x73cb0000 end_va = 0x73cc3fff entry_point = 0x73cb0000 region_type = mapped_file name = "vaultcredprovider.dll" filename = "\\Windows\\System32\\VaultCredProvider.dll" (normalized: "c:\\windows\\system32\\vaultcredprovider.dll") Region: id = 2303 start_va = 0x73c80000 end_va = 0x73ca6fff entry_point = 0x73c80000 region_type = mapped_file name = "smartcardcredentialprovider.dll" filename = "\\Windows\\System32\\SmartcardCredentialProvider.dll" (normalized: "c:\\windows\\system32\\smartcardcredentialprovider.dll") Region: id = 2305 start_va = 0x27f0000 end_va = 0x27f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027f0000" filename = "" Region: id = 2306 start_va = 0x29f0000 end_va = 0x2c1ffff entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 2307 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2308 start_va = 0x73c50000 end_va = 0x73c7cfff entry_point = 0x73c50000 region_type = mapped_file name = "biocredprov.dll" filename = "\\Windows\\System32\\BioCredProv.dll" (normalized: "c:\\windows\\system32\\biocredprov.dll") Region: id = 2310 start_va = 0x2800000 end_va = 0x2801fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002800000" filename = "" Region: id = 2311 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2312 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2313 start_va = 0x73c30000 end_va = 0x73c40fff entry_point = 0x73c30000 region_type = mapped_file name = "winbio.dll" filename = "\\Windows\\System32\\winbio.dll" (normalized: "c:\\windows\\system32\\winbio.dll") Region: id = 2314 start_va = 0x73c00000 end_va = 0x73c2afff entry_point = 0x73c00000 region_type = mapped_file name = "credui.dll" filename = "\\Windows\\System32\\credui.dll" (normalized: "c:\\windows\\system32\\credui.dll") Region: id = 2315 start_va = 0x73bf0000 end_va = 0x73bfbfff entry_point = 0x73bf0000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 2316 start_va = 0x73bd0000 end_va = 0x73be0fff entry_point = 0x73bd0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2317 start_va = 0x73bc0000 end_va = 0x73bc8fff entry_point = 0x73bc0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2318 start_va = 0x74ae0000 end_va = 0x74af8fff entry_point = 0x74ae0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2319 start_va = 0x73bb0000 end_va = 0x73bbefff entry_point = 0x73bb0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2320 start_va = 0x73ba0000 end_va = 0x73baefff entry_point = 0x73ba0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2322 start_va = 0x2810000 end_va = 0x2811fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002810000" filename = "" Region: id = 2323 start_va = 0x2820000 end_va = 0x282ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002820000" filename = "" Region: id = 2324 start_va = 0x2890000 end_va = 0x2990fff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2325 start_va = 0x2890000 end_va = 0x2990fff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2326 start_va = 0x2890000 end_va = 0x2990fff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2327 start_va = 0x2890000 end_va = 0x2990fff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2328 start_va = 0x2890000 end_va = 0x2990fff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2329 start_va = 0x73b70000 end_va = 0x73b90fff entry_point = 0x73b70000 region_type = mapped_file name = "certcredprovider.dll" filename = "\\Windows\\System32\\certCredProvider.dll" (normalized: "c:\\windows\\system32\\certcredprovider.dll") Region: id = 2330 start_va = 0x73b00000 end_va = 0x73b61fff entry_point = 0x73b00000 region_type = mapped_file name = "rasplap.dll" filename = "\\Windows\\System32\\rasplap.dll" (normalized: "c:\\windows\\system32\\rasplap.dll") Region: id = 2331 start_va = 0x73aa0000 end_va = 0x73af1fff entry_point = 0x73aa0000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 2332 start_va = 0x73a80000 end_va = 0x73a94fff entry_point = 0x73a80000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 2333 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2334 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2335 start_va = 0x73a70000 end_va = 0x73a7cfff entry_point = 0x73a70000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 2339 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2340 start_va = 0x2830000 end_va = 0x286bfff entry_point = 0x2830000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2341 start_va = 0x2830000 end_va = 0x286bfff entry_point = 0x2830000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2342 start_va = 0x2830000 end_va = 0x286bfff entry_point = 0x2830000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2343 start_va = 0x2830000 end_va = 0x286bfff entry_point = 0x2830000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2344 start_va = 0x2830000 end_va = 0x286bfff entry_point = 0x2830000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2345 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2350 start_va = 0x2830000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 2351 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2352 start_va = 0x28b0000 end_va = 0x28effff entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 2353 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 2354 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2355 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2356 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2357 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2358 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2359 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2360 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2361 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2362 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2363 start_va = 0x28f0000 end_va = 0x2944fff entry_point = 0x28f0000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 2364 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2365 start_va = 0x2870000 end_va = 0x288efff entry_point = 0x2870000 region_type = mapped_file name = "sptip.dll" filename = "\\Windows\\IME\\SPTIP.DLL" (normalized: "c:\\windows\\ime\\sptip.dll") Region: id = 2366 start_va = 0x28f0000 end_va = 0x293ffff entry_point = 0x28f0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2367 start_va = 0x28f0000 end_va = 0x293ffff entry_point = 0x28f0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2368 start_va = 0x28f0000 end_va = 0x293ffff entry_point = 0x28f0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2369 start_va = 0x28f0000 end_va = 0x293ffff entry_point = 0x28f0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2370 start_va = 0x28f0000 end_va = 0x293ffff entry_point = 0x28f0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2371 start_va = 0x28f0000 end_va = 0x293ffff entry_point = 0x28f0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2372 start_va = 0x28f0000 end_va = 0x293ffff entry_point = 0x28f0000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 2373 start_va = 0x28f0000 end_va = 0x2944fff entry_point = 0x28f0000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 2374 start_va = 0x2870000 end_va = 0x28a1fff entry_point = 0x2870000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 2375 start_va = 0x28f0000 end_va = 0x29affff entry_point = 0x28f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2376 start_va = 0x2870000 end_va = 0x2871fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002870000" filename = "" Region: id = 2377 start_va = 0x2a70000 end_va = 0x2aaffff entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 2378 start_va = 0x2be0000 end_va = 0x2c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 2379 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 2380 start_va = 0x2880000 end_va = 0x2880fff entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 2381 start_va = 0x2890000 end_va = 0x2890fff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2382 start_va = 0x28a0000 end_va = 0x28a0fff entry_point = 0x28a0000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\System32\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctf.dll.mui") Region: id = 2383 start_va = 0x73a30000 end_va = 0x73a6bfff entry_point = 0x73a30000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 2384 start_va = 0x29f0000 end_va = 0x29f0fff entry_point = 0x29f0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 2385 start_va = 0x739a0000 end_va = 0x73a2bfff entry_point = 0x739a0000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 2386 start_va = 0x76560000 end_va = 0x76564fff entry_point = 0x76560000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 2388 start_va = 0x752b0000 end_va = 0x7530efff entry_point = 0x752b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2389 start_va = 0x2a00000 end_va = 0x2a00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a00000" filename = "" Region: id = 2390 start_va = 0x2a00000 end_va = 0x2a00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a00000" filename = "" Region: id = 2391 start_va = 0x2a00000 end_va = 0x2a00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a00000" filename = "" Region: id = 2398 start_va = 0x755a0000 end_va = 0x755ccfff entry_point = 0x755a0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2399 start_va = 0x2ab0000 end_va = 0x2b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 2400 start_va = 0x37e0000 end_va = 0x410ffff entry_point = 0x37e0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 2401 start_va = 0x2a00000 end_va = 0x2a05fff entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 2402 start_va = 0x2a10000 end_va = 0x2a10fff entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 2403 start_va = 0x2a20000 end_va = 0x2a27fff entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 2404 start_va = 0x2a30000 end_va = 0x2a31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a30000" filename = "" Region: id = 2405 start_va = 0x2a30000 end_va = 0x2a31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a30000" filename = "" Region: id = 2840 start_va = 0x2c20000 end_va = 0x2cfefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c20000" filename = "" Region: id = 2841 start_va = 0x2c20000 end_va = 0x2cfefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c20000" filename = "" Region: id = 2842 start_va = 0x2a40000 end_va = 0x2a40fff entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 2843 start_va = 0x2a50000 end_va = 0x2a50fff entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 2844 start_va = 0x2a60000 end_va = 0x2a60fff entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 2845 start_va = 0x2ab0000 end_va = 0x2ab0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 2846 start_va = 0x2ac0000 end_va = 0x2ac0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 2847 start_va = 0x2ad0000 end_va = 0x2ad0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 2848 start_va = 0x2ae0000 end_va = 0x2ae0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 2849 start_va = 0x2af0000 end_va = 0x2af0fff entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 2850 start_va = 0x2b00000 end_va = 0x2b00fff entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 2851 start_va = 0x2b10000 end_va = 0x2b10fff entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 2852 start_va = 0x2b20000 end_va = 0x2b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 2853 start_va = 0x2b60000 end_va = 0x2b60fff entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 2854 start_va = 0x2b70000 end_va = 0x2b70fff entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 2855 start_va = 0x2b80000 end_va = 0x2b80fff entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 2856 start_va = 0x2b90000 end_va = 0x2b90fff entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 2857 start_va = 0x2ba0000 end_va = 0x2ba0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 2858 start_va = 0x2bb0000 end_va = 0x2bb0fff entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 2859 start_va = 0x2bc0000 end_va = 0x2bc0fff entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 2860 start_va = 0x2bd0000 end_va = 0x2bd0fff entry_point = 0x0 region_type = private name = "private_0x0000000002bd0000" filename = "" Region: id = 2861 start_va = 0x2d00000 end_va = 0x2d00fff entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 2862 start_va = 0x2d10000 end_va = 0x2d10fff entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 2863 start_va = 0x2d20000 end_va = 0x2d20fff entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 2864 start_va = 0x2d30000 end_va = 0x2d30fff entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 2865 start_va = 0x2d40000 end_va = 0x2d40fff entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 2866 start_va = 0x2d50000 end_va = 0x2d50fff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 2867 start_va = 0x2d60000 end_va = 0x2d60fff entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 2868 start_va = 0x2d70000 end_va = 0x2d70fff entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 2869 start_va = 0x2d80000 end_va = 0x2d80fff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 2870 start_va = 0x2d90000 end_va = 0x2d90fff entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 2871 start_va = 0x2da0000 end_va = 0x2da0fff entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 2872 start_va = 0x2db0000 end_va = 0x2db0fff entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 2873 start_va = 0x2dc0000 end_va = 0x2dc0fff entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 2874 start_va = 0x2dd0000 end_va = 0x2dd0fff entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 2875 start_va = 0x2de0000 end_va = 0x2de0fff entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 2876 start_va = 0x2df0000 end_va = 0x2df0fff entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 2877 start_va = 0x2e00000 end_va = 0x2e00fff entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 2878 start_va = 0x2e10000 end_va = 0x2e10fff entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 2879 start_va = 0x2e20000 end_va = 0x2e26fff entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 2880 start_va = 0x2e30000 end_va = 0x2e39fff entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 2881 start_va = 0x2e40000 end_va = 0x2e46fff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 2882 start_va = 0x2e50000 end_va = 0x2e73fff entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2883 start_va = 0x2e80000 end_va = 0x2e89fff entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 2884 start_va = 0x2e90000 end_va = 0x2e96fff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 2885 start_va = 0x2ea0000 end_va = 0x2ea9fff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2886 start_va = 0x2eb0000 end_va = 0x2eb6fff entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 2887 start_va = 0x2ec0000 end_va = 0x2ef7fff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 2888 start_va = 0x2f00000 end_va = 0x2f09fff entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 2889 start_va = 0x2f10000 end_va = 0x2f10fff entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 2890 start_va = 0x2f20000 end_va = 0x2f20fff entry_point = 0x0 region_type = private name = "private_0x0000000002f20000" filename = "" Region: id = 2891 start_va = 0x2f30000 end_va = 0x2f30fff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2892 start_va = 0x2f40000 end_va = 0x2f40fff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 2893 start_va = 0x2f50000 end_va = 0x2f50fff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2894 start_va = 0x2f60000 end_va = 0x2f61fff entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 2895 start_va = 0x2f70000 end_va = 0x2f70fff entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 2896 start_va = 0x2f80000 end_va = 0x2f81fff entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 2897 start_va = 0x2f90000 end_va = 0x2f90fff entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 2898 start_va = 0x2fa0000 end_va = 0x2fa1fff entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 2899 start_va = 0x2fb0000 end_va = 0x2fb0fff entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 2900 start_va = 0x2fc0000 end_va = 0x2fc1fff entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 2901 start_va = 0x2fd0000 end_va = 0x2fd0fff entry_point = 0x0 region_type = private name = "private_0x0000000002fd0000" filename = "" Region: id = 2902 start_va = 0x2fe0000 end_va = 0x2fe0fff entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 2903 start_va = 0x2ff0000 end_va = 0x2ff0fff entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 2904 start_va = 0x3000000 end_va = 0x3000fff entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2905 start_va = 0x3010000 end_va = 0x3010fff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2906 start_va = 0x3020000 end_va = 0x3020fff entry_point = 0x0 region_type = private name = "private_0x0000000003020000" filename = "" Region: id = 2907 start_va = 0x3030000 end_va = 0x3030fff entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2908 start_va = 0x3040000 end_va = 0x3040fff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 2909 start_va = 0x3050000 end_va = 0x3050fff entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 2910 start_va = 0x3060000 end_va = 0x3060fff entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 2911 start_va = 0x3070000 end_va = 0x3070fff entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 2912 start_va = 0x3080000 end_va = 0x3080fff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 2913 start_va = 0x3090000 end_va = 0x3090fff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 2914 start_va = 0x30a0000 end_va = 0x30a0fff entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 2915 start_va = 0x30b0000 end_va = 0x30b0fff entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 2916 start_va = 0x30c0000 end_va = 0x30c0fff entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 2917 start_va = 0x30d0000 end_va = 0x30d0fff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 2918 start_va = 0x30e0000 end_va = 0x30e0fff entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 2919 start_va = 0x30f0000 end_va = 0x3180fff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 2920 start_va = 0x30f0000 end_va = 0x30f0fff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 2921 start_va = 0x3100000 end_va = 0x3100fff entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 2922 start_va = 0x3110000 end_va = 0x3110fff entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 2923 start_va = 0x3120000 end_va = 0x3120fff entry_point = 0x0 region_type = private name = "private_0x0000000003120000" filename = "" Region: id = 2924 start_va = 0x3130000 end_va = 0x3130fff entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 2925 start_va = 0x3140000 end_va = 0x3140fff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 2926 start_va = 0x3150000 end_va = 0x3150fff entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 2927 start_va = 0x3160000 end_va = 0x3160fff entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 2928 start_va = 0x3170000 end_va = 0x3170fff entry_point = 0x0 region_type = private name = "private_0x0000000003170000" filename = "" Region: id = 2929 start_va = 0x3180000 end_va = 0x3180fff entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 2930 start_va = 0x3190000 end_va = 0x3190fff entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2931 start_va = 0x31a0000 end_va = 0x31a0fff entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 2932 start_va = 0x31b0000 end_va = 0x31b0fff entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 2933 start_va = 0x31c0000 end_va = 0x31c0fff entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 2934 start_va = 0x4110000 end_va = 0x4110fff entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 2935 start_va = 0x4120000 end_va = 0x4120fff entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 2936 start_va = 0x4130000 end_va = 0x4130fff entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 2937 start_va = 0x4140000 end_va = 0x4140fff entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 2938 start_va = 0x4150000 end_va = 0x4150fff entry_point = 0x0 region_type = private name = "private_0x0000000004150000" filename = "" Region: id = 2939 start_va = 0x4160000 end_va = 0x4160fff entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 2940 start_va = 0x4170000 end_va = 0x4170fff entry_point = 0x0 region_type = private name = "private_0x0000000004170000" filename = "" Region: id = 2941 start_va = 0x4180000 end_va = 0x4180fff entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 2942 start_va = 0x4190000 end_va = 0x4190fff entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 2943 start_va = 0x41a0000 end_va = 0x41a0fff entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 2944 start_va = 0x41b0000 end_va = 0x41b0fff entry_point = 0x0 region_type = private name = "private_0x00000000041b0000" filename = "" Region: id = 2945 start_va = 0x41c0000 end_va = 0x41c0fff entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 2946 start_va = 0x41d0000 end_va = 0x41d0fff entry_point = 0x0 region_type = private name = "private_0x00000000041d0000" filename = "" Region: id = 2947 start_va = 0x41e0000 end_va = 0x41e0fff entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 2948 start_va = 0x41f0000 end_va = 0x41f0fff entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 2949 start_va = 0x4200000 end_va = 0x4206fff entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2950 start_va = 0x4210000 end_va = 0x4219fff entry_point = 0x0 region_type = private name = "private_0x0000000004210000" filename = "" Region: id = 2951 start_va = 0x4220000 end_va = 0x4226fff entry_point = 0x0 region_type = private name = "private_0x0000000004220000" filename = "" Region: id = 2952 start_va = 0x4230000 end_va = 0x4253fff entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 2953 start_va = 0x4260000 end_va = 0x4269fff entry_point = 0x0 region_type = private name = "private_0x0000000004260000" filename = "" Region: id = 2954 start_va = 0x4270000 end_va = 0x4276fff entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 2955 start_va = 0x4280000 end_va = 0x4289fff entry_point = 0x0 region_type = private name = "private_0x0000000004280000" filename = "" Region: id = 2956 start_va = 0x4290000 end_va = 0x4296fff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 2957 start_va = 0x42a0000 end_va = 0x42d7fff entry_point = 0x0 region_type = private name = "private_0x00000000042a0000" filename = "" Region: id = 2958 start_va = 0x42e0000 end_va = 0x42e9fff entry_point = 0x0 region_type = private name = "private_0x00000000042e0000" filename = "" Region: id = 2959 start_va = 0x42f0000 end_va = 0x42f0fff entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 2960 start_va = 0x4300000 end_va = 0x4300fff entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 2961 start_va = 0x4310000 end_va = 0x4310fff entry_point = 0x0 region_type = private name = "private_0x0000000004310000" filename = "" Region: id = 2962 start_va = 0x4320000 end_va = 0x4320fff entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 2963 start_va = 0x4330000 end_va = 0x4330fff entry_point = 0x0 region_type = private name = "private_0x0000000004330000" filename = "" Region: id = 2964 start_va = 0x4340000 end_va = 0x4341fff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 2965 start_va = 0x4350000 end_va = 0x4350fff entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 2966 start_va = 0x4360000 end_va = 0x4361fff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 2967 start_va = 0x4370000 end_va = 0x4370fff entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 2968 start_va = 0x4380000 end_va = 0x4381fff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 2969 start_va = 0x4390000 end_va = 0x4390fff entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 2970 start_va = 0x43a0000 end_va = 0x43a1fff entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 2971 start_va = 0x43b0000 end_va = 0x43b0fff entry_point = 0x0 region_type = private name = "private_0x00000000043b0000" filename = "" Region: id = 2972 start_va = 0x43c0000 end_va = 0x43c0fff entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 2973 start_va = 0x43d0000 end_va = 0x43d0fff entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 2974 start_va = 0x43e0000 end_va = 0x43e0fff entry_point = 0x0 region_type = private name = "private_0x00000000043e0000" filename = "" Region: id = 2975 start_va = 0x43f0000 end_va = 0x43f0fff entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 2976 start_va = 0x4400000 end_va = 0x4400fff entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2977 start_va = 0x4410000 end_va = 0x4410fff entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 2978 start_va = 0x4420000 end_va = 0x4420fff entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 2979 start_va = 0x4430000 end_va = 0x4430fff entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 2980 start_va = 0x4440000 end_va = 0x4440fff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 2981 start_va = 0x4450000 end_va = 0x4450fff entry_point = 0x0 region_type = private name = "private_0x0000000004450000" filename = "" Region: id = 2982 start_va = 0x4460000 end_va = 0x4460fff entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 2983 start_va = 0x4470000 end_va = 0x4470fff entry_point = 0x0 region_type = private name = "private_0x0000000004470000" filename = "" Region: id = 2984 start_va = 0x4480000 end_va = 0x4480fff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 2985 start_va = 0x4490000 end_va = 0x4490fff entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 2986 start_va = 0x44a0000 end_va = 0x44a0fff entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 2987 start_va = 0x44b0000 end_va = 0x44b0fff entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 2988 start_va = 0x44c0000 end_va = 0x44c0fff entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 2989 start_va = 0x44d0000 end_va = 0x4560fff entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 3010 start_va = 0x2a30000 end_va = 0x2a30fff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 3026 start_va = 0x74ef0000 end_va = 0x74f1afff entry_point = 0x74ef0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 3027 start_va = 0x2a30000 end_va = 0x2a3bfff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 3028 start_va = 0x72250000 end_va = 0x735a5fff entry_point = 0x72250000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 3029 start_va = 0x2a40000 end_va = 0x2a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 3030 start_va = 0x2a40000 end_va = 0x2a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 3046 start_va = 0x2a30000 end_va = 0x2a30fff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 3047 start_va = 0x2ab0000 end_va = 0x2aeffff entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 3048 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 5273 start_va = 0x2da0000 end_va = 0x2ddffff entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 5274 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Thread: id = 241 os_tid = 0x2f8 Thread: id = 242 os_tid = 0x2fc Thread: id = 243 os_tid = 0x300 Thread: id = 244 os_tid = 0x304 Thread: id = 245 os_tid = 0x308 Thread: id = 246 os_tid = 0x30c Thread: id = 250 os_tid = 0x31c Thread: id = 251 os_tid = 0x320 Thread: id = 252 os_tid = 0x324 Thread: id = 307 os_tid = 0x410 Thread: id = 537 os_tid = 0x7d8 Process: id = "24" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa1a0" os_pid = "0x32c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c327" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2407 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2408 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2409 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2410 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2411 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2412 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2413 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2414 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 2415 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 2416 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2418 start_va = 0x1b0000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2419 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2420 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2421 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2422 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 2423 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2424 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2425 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2426 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2427 start_va = 0x410000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 2428 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2429 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2430 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2431 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2432 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2433 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2434 start_va = 0x1b0000 end_va = 0x277fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2435 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2436 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2437 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2438 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2439 start_va = 0xc0000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2440 start_va = 0x410000 end_va = 0x510fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2441 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2442 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2443 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2444 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2445 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2446 start_va = 0x280000 end_va = 0x2dbfff entry_point = 0x280000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2447 start_va = 0x610000 end_va = 0xa02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 2448 start_va = 0x280000 end_va = 0x2dbfff entry_point = 0x280000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2449 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2459 start_va = 0xaa0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 2460 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 2461 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2462 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 2463 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 2464 start_va = 0xb90000 end_va = 0xbcffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 2465 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 2466 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 2467 start_va = 0xc60000 end_va = 0xf2efff entry_point = 0xc60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2468 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2469 start_va = 0x73920000 end_va = 0x73999fff entry_point = 0x73920000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2487 start_va = 0x738f0000 end_va = 0x73914fff entry_point = 0x738f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2488 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2489 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2490 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2491 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2492 start_va = 0x73e40000 end_va = 0x73e78fff entry_point = 0x73e40000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2493 start_va = 0x74190000 end_va = 0x74284fff entry_point = 0x74190000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2494 start_va = 0x738e0000 end_va = 0x738e6fff entry_point = 0x738e0000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2541 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 2542 start_va = 0xf60000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 2543 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 2544 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2545 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 2546 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 2547 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2554 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2555 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 2556 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2557 start_va = 0x540000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 2558 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 2565 start_va = 0x1090000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2566 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 2567 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2568 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2569 start_va = 0x5c0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 2570 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 2672 start_va = 0x580000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2673 start_va = 0x73830000 end_va = 0x738b7fff entry_point = 0x73830000 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 2674 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 2677 start_va = 0x749d0000 end_va = 0x749e6fff entry_point = 0x749d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2678 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2679 start_va = 0x74980000 end_va = 0x7498afff entry_point = 0x74980000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 2680 start_va = 0x73800000 end_va = 0x73824fff entry_point = 0x73800000 region_type = mapped_file name = "peerdist.dll" filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll") Region: id = 2681 start_va = 0x74f90000 end_va = 0x74faafff entry_point = 0x74f90000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 2685 start_va = 0xff0000 end_va = 0x102ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2686 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 2700 start_va = 0xfb0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 2701 start_va = 0x1150000 end_va = 0x118ffff entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 2702 start_va = 0x736a0000 end_va = 0x7371cfff entry_point = 0x736a0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2703 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 2704 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 2714 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2715 start_va = 0x1190000 end_va = 0x128ffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 2716 start_va = 0x73630000 end_va = 0x73664fff entry_point = 0x73630000 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 2728 start_va = 0x2c0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 2729 start_va = 0x742d0000 end_va = 0x7446dfff entry_point = 0x742d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 2730 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x2d0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2733 start_va = 0x2e0000 end_va = 0x2e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 2734 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2735 start_va = 0xbd0000 end_va = 0xc0bfff entry_point = 0xbd0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2736 start_va = 0xbd0000 end_va = 0xc0bfff entry_point = 0xbd0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2737 start_va = 0xbd0000 end_va = 0xc0bfff entry_point = 0xbd0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2738 start_va = 0xbd0000 end_va = 0xc0bfff entry_point = 0xbd0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2739 start_va = 0xbd0000 end_va = 0xc0bfff entry_point = 0xbd0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2740 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2763 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2995 start_va = 0xbd0000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 2996 start_va = 0xf50000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 2997 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 2998 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 3054 start_va = 0x73cd0000 end_va = 0x73cdcfff entry_point = 0x73cd0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3055 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3056 start_va = 0x749b0000 end_va = 0x749c5fff entry_point = 0x749b0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3060 start_va = 0x1100000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3061 start_va = 0x12a0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 3062 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 3063 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 3197 start_va = 0x1330000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 3198 start_va = 0x72170000 end_va = 0x7217afff entry_point = 0x72170000 region_type = mapped_file name = "uxsms.dll" filename = "\\Windows\\System32\\uxsms.dll" (normalized: "c:\\windows\\system32\\uxsms.dll") Region: id = 3199 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 3202 start_va = 0x14c0000 end_va = 0x14fffff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 3203 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 3262 start_va = 0x13b0000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 3263 start_va = 0x1310000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 3264 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 4405 start_va = 0x1350000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 4406 start_va = 0x70ed0000 end_va = 0x70fedfff entry_point = 0x70ed0000 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 4407 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 4410 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 4411 start_va = 0x13c0000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 4412 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 4413 start_va = 0x758f0000 end_va = 0x76539fff entry_point = 0x758f0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4414 start_va = 0x70eb0000 end_va = 0x70ec4fff entry_point = 0x70eb0000 region_type = mapped_file name = "trkwks.dll" filename = "\\Windows\\System32\\trkwks.dll" (normalized: "c:\\windows\\system32\\trkwks.dll") Region: id = 4415 start_va = 0x1500000 end_va = 0x15effff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 4416 start_va = 0x74730000 end_va = 0x74750fff entry_point = 0x74730000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4417 start_va = 0x77370000 end_va = 0x773b4fff entry_point = 0x77370000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 4421 start_va = 0x1450000 end_va = 0x148ffff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 4422 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 4715 start_va = 0x13c0000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 4716 start_va = 0x70830000 end_va = 0x70847fff entry_point = 0x70830000 region_type = mapped_file name = "wpdbusenum.dll" filename = "\\Windows\\System32\\wpdbusenum.dll" (normalized: "c:\\windows\\system32\\wpdbusenum.dll") Region: id = 4717 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 4751 start_va = 0x1600000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 4752 start_va = 0x70850000 end_va = 0x70864fff entry_point = 0x70850000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4753 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 4775 start_va = 0x705a0000 end_va = 0x705a9fff entry_point = 0x705a0000 region_type = mapped_file name = "apphlpdm.dll" filename = "\\Windows\\System32\\Apphlpdm.dll" (normalized: "c:\\windows\\system32\\apphlpdm.dll") Region: id = 4789 start_va = 0x70730000 end_va = 0x70790fff entry_point = 0x70730000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 4790 start_va = 0x706a0000 end_va = 0x706ebfff entry_point = 0x706a0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 4791 start_va = 0x1640000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 4827 start_va = 0x1470000 end_va = 0x14affff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 4828 start_va = 0x70450000 end_va = 0x704d8fff entry_point = 0x70450000 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 4829 start_va = 0x7ffa7000 end_va = 0x7ffa7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 4836 start_va = 0x70430000 end_va = 0x70441fff entry_point = 0x70430000 region_type = mapped_file name = "portabledeviceconnectapi.dll" filename = "\\Windows\\System32\\PortableDeviceConnectApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceconnectapi.dll") Region: id = 4839 start_va = 0x755a0000 end_va = 0x755ccfff entry_point = 0x755a0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4840 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4841 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4842 start_va = 0x1680000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 4843 start_va = 0x16f0000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x00000000016f0000" filename = "" Region: id = 4844 start_va = 0x7ffa6000 end_va = 0x7ffa6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Thread: id = 254 os_tid = 0x330 Thread: id = 256 os_tid = 0x338 Thread: id = 258 os_tid = 0x340 Thread: id = 259 os_tid = 0x344 Thread: id = 260 os_tid = 0x348 Thread: id = 265 os_tid = 0x360 Thread: id = 267 os_tid = 0x368 Thread: id = 271 os_tid = 0x378 Thread: id = 272 os_tid = 0x37c Thread: id = 273 os_tid = 0x380 Thread: id = 285 os_tid = 0x3b4 Thread: id = 287 os_tid = 0x3bc Thread: id = 291 os_tid = 0x3cc Thread: id = 293 os_tid = 0x3d4 Thread: id = 300 os_tid = 0x3ec Thread: id = 301 os_tid = 0x3f0 Thread: id = 311 os_tid = 0x420 Thread: id = 312 os_tid = 0x424 Thread: id = 325 os_tid = 0x45c Thread: id = 326 os_tid = 0x460 Thread: id = 331 os_tid = 0x47c Thread: id = 332 os_tid = 0x480 Thread: id = 445 os_tid = 0x660 Thread: id = 446 os_tid = 0x664 Thread: id = 448 os_tid = 0x66c Thread: id = 483 os_tid = 0x6fc Thread: id = 486 os_tid = 0x710 Thread: id = 500 os_tid = 0x748 Thread: id = 503 os_tid = 0x754 Process: id = "25" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa1c0" os_pid = "0x34c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c567" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2470 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2471 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2472 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2473 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2474 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2475 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2476 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2477 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 2478 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 2479 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2495 start_va = 0x110000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2496 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2497 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2498 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2499 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 2500 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2501 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2502 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2503 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2504 start_va = 0x110000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2505 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2506 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2507 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2508 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2509 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2510 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2511 start_va = 0x110000 end_va = 0x12cfff entry_point = 0x110000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2512 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2513 start_va = 0x290000 end_va = 0x357fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 2514 start_va = 0x110000 end_va = 0x12cfff entry_point = 0x110000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2515 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2516 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2517 start_va = 0x360000 end_va = 0x460fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 2518 start_va = 0x470000 end_va = 0x4effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 2519 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2520 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2521 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2522 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2523 start_va = 0x4f0000 end_va = 0x8e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2524 start_va = 0x8f0000 end_va = 0x94bfff entry_point = 0x8f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2525 start_va = 0x8f0000 end_va = 0x94bfff entry_point = 0x8f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2526 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2534 start_va = 0x9f0000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 2535 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 2536 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2550 start_va = 0xb00000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2551 start_va = 0xb70000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 2552 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 2553 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 2559 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 2560 start_va = 0xbb0000 end_va = 0xe7efff entry_point = 0xbb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2561 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 2562 start_va = 0x738c0000 end_va = 0x738d1fff entry_point = 0x738c0000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 2571 start_va = 0x738e0000 end_va = 0x738e6fff entry_point = 0x738e0000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2675 start_va = 0x910000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 2676 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 2682 start_va = 0xfc0000 end_va = 0xffffff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 2683 start_va = 0x73760000 end_va = 0x737f2fff entry_point = 0x73760000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 2684 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 2687 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 2688 start_va = 0x749b0000 end_va = 0x749c5fff entry_point = 0x749b0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2689 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 2690 start_va = 0x77370000 end_va = 0x773b4fff entry_point = 0x77370000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2691 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2692 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2693 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2694 start_va = 0x75220000 end_va = 0x75226fff entry_point = 0x75220000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 2695 start_va = 0x73750000 end_va = 0x7375ffff entry_point = 0x73750000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2696 start_va = 0xe80000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 2697 start_va = 0x1000000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 2698 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2699 start_va = 0x73720000 end_va = 0x7374afff entry_point = 0x73720000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 2705 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2706 start_va = 0x11d0000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 2707 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2708 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 2709 start_va = 0x749d0000 end_va = 0x749e6fff entry_point = 0x749d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2710 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2711 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2712 start_va = 0x73680000 end_va = 0x73693fff entry_point = 0x73680000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 2713 start_va = 0x73670000 end_va = 0x7367bfff entry_point = 0x73670000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 2717 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2741 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2742 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2743 start_va = 0x1090000 end_va = 0x118ffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 2744 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2745 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2746 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2747 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2748 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2749 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2750 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2751 start_va = 0x73620000 end_va = 0x73628fff entry_point = 0x73620000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 2752 start_va = 0x73610000 end_va = 0x73619fff entry_point = 0x73610000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2799 start_va = 0xea0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 2800 start_va = 0xee0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2801 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 2802 start_va = 0x9b0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 2803 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 2829 start_va = 0xef0000 end_va = 0x100dfff entry_point = 0xef0000 region_type = mapped_file name = "aero.msstyles" filename = "\\Windows\\Resources\\Themes\\Aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles") Region: id = 2830 start_va = 0x74150000 end_va = 0x7418ffff entry_point = 0x74150000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2831 start_va = 0xef0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2832 start_va = 0x1210000 end_va = 0x1c0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 2833 start_va = 0x1c10000 end_va = 0x260ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c10000" filename = "" Region: id = 2834 start_va = 0x2610000 end_va = 0x26eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002610000" filename = "" Region: id = 2836 start_va = 0x1210000 end_va = 0x12eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 2837 start_va = 0x1210000 end_va = 0x12eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001210000" filename = "" Region: id = 3064 start_va = 0x74730000 end_va = 0x74750fff entry_point = 0x74730000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3069 start_va = 0xf20000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 3070 start_va = 0xfb0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 3071 start_va = 0x720d0000 end_va = 0x720defff entry_point = 0x720d0000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 3072 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 3073 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 3074 start_va = 0x1300000 end_va = 0x133ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 3075 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 3076 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3079 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 3148 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 3149 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 3167 start_va = 0x13b0000 end_va = 0x13effff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 3168 start_va = 0x73cd0000 end_va = 0x73cdcfff entry_point = 0x73cd0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3169 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 3172 start_va = 0x735b0000 end_va = 0x735f6fff entry_point = 0x735b0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3193 start_va = 0x752b0000 end_va = 0x7530efff entry_point = 0x752b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 3194 start_va = 0x170000 end_va = 0x17bfff entry_point = 0x170000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 3195 start_va = 0x180000 end_va = 0x183fff entry_point = 0x180000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 3261 start_va = 0x74290000 end_va = 0x742a1fff entry_point = 0x74290000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3446 start_va = 0xaa0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 3447 start_va = 0x1240000 end_va = 0x127ffff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 3448 start_va = 0x13c0000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 3449 start_va = 0x71c90000 end_va = 0x71ce1fff entry_point = 0x71c90000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 3450 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 3455 start_va = 0x1400000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 3460 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3461 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3462 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3463 start_va = 0x755a0000 end_va = 0x755ccfff entry_point = 0x755a0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3464 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3465 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3466 start_va = 0x71c40000 end_va = 0x71c82fff entry_point = 0x71c40000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 3467 start_va = 0x1000000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3468 start_va = 0x71c30000 end_va = 0x71c36fff entry_point = 0x71c30000 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 3469 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 3470 start_va = 0x71c20000 end_va = 0x71c27fff entry_point = 0x71c20000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 3471 start_va = 0x73bd0000 end_va = 0x73be0fff entry_point = 0x73bd0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3472 start_va = 0x73bc0000 end_va = 0x73bc8fff entry_point = 0x73bc0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3473 start_va = 0x74ae0000 end_va = 0x74af8fff entry_point = 0x74ae0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3474 start_va = 0x73bb0000 end_va = 0x73bbefff entry_point = 0x73bb0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3475 start_va = 0x74c70000 end_va = 0x74c91fff entry_point = 0x74c70000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3477 start_va = 0x71b60000 end_va = 0x71c19fff entry_point = 0x71b60000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 3483 start_va = 0x74980000 end_va = 0x7498afff entry_point = 0x74980000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 3484 start_va = 0x758f0000 end_va = 0x76539fff entry_point = 0x758f0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3485 start_va = 0x74fc0000 end_va = 0x75001fff entry_point = 0x74fc0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 3486 start_va = 0x74f90000 end_va = 0x74faafff entry_point = 0x74f90000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3487 start_va = 0x74aa0000 end_va = 0x74acbfff entry_point = 0x74aa0000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 3488 start_va = 0x71b50000 end_va = 0x71b58fff entry_point = 0x71b50000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 3491 start_va = 0x73df0000 end_va = 0x73e1efff entry_point = 0x73df0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3492 start_va = 0x1510000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 3496 start_va = 0x71b40000 end_va = 0x71b4afff entry_point = 0x71b40000 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 3512 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3513 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3514 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3515 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3516 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3517 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3518 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3519 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3520 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3521 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3532 start_va = 0x1350000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 3533 start_va = 0x1440000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 3534 start_va = 0x14d0000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 3535 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 3536 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 3537 start_va = 0x71ab0000 end_va = 0x71afcfff entry_point = 0x71ab0000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 3539 start_va = 0x74870000 end_va = 0x74878fff entry_point = 0x74870000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3542 start_va = 0x1480000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 3543 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 3544 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3545 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3546 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3547 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3562 start_va = 0x74ef0000 end_va = 0x74f1afff entry_point = 0x74ef0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 3563 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3564 start_va = 0x15b0000 end_va = 0x15effff entry_point = 0x0 region_type = private name = "private_0x00000000015b0000" filename = "" Region: id = 3565 start_va = 0x1600000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 3566 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 3567 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3620 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3621 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3763 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3764 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3786 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3787 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3788 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3789 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3790 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3791 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3799 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3813 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3814 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3837 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3838 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3856 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3879 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3880 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3881 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3882 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3883 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3884 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3885 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3886 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3887 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3888 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3892 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3893 start_va = 0x742d0000 end_va = 0x7446dfff entry_point = 0x742d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 3894 start_va = 0x8f0000 end_va = 0x8f0fff entry_point = 0x8f0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 3895 start_va = 0x900000 end_va = 0x901fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 3910 start_va = 0x74190000 end_va = 0x74284fff entry_point = 0x74190000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3911 start_va = 0x8f0000 end_va = 0x8f3fff entry_point = 0x8f0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 3912 start_va = 0xb40000 end_va = 0xb6ffff entry_point = 0xb40000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db") Region: id = 3913 start_va = 0x990000 end_va = 0x993fff entry_point = 0x990000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 3914 start_va = 0xf40000 end_va = 0xfa5fff entry_point = 0xf40000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 3920 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 3921 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4418 start_va = 0x1550000 end_va = 0x158ffff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 4419 start_va = 0x70e80000 end_va = 0x70eaafff entry_point = 0x70e80000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 4420 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 4424 start_va = 0x70e20000 end_va = 0x70e7bfff entry_point = 0x70e20000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 4425 start_va = 0x1640000 end_va = 0x16cffff entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 4427 start_va = 0x12c0000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4428 start_va = 0x70da0000 end_va = 0x70e1cfff entry_point = 0x70da0000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 4429 start_va = 0x7ffa7000 end_va = 0x7ffa7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 4430 start_va = 0x72220000 end_va = 0x72226fff entry_point = 0x72220000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4431 start_va = 0x74880000 end_va = 0x748f5fff entry_point = 0x74880000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 4432 start_va = 0x72230000 end_va = 0x7224bfff entry_point = 0x72230000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4433 start_va = 0x71d20000 end_va = 0x71d57fff entry_point = 0x71d20000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4434 start_va = 0x73a70000 end_va = 0x73a7cfff entry_point = 0x73a70000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 4435 start_va = 0x70d60000 end_va = 0x70d92fff entry_point = 0x70d60000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 4438 start_va = 0x70d20000 end_va = 0x70d51fff entry_point = 0x70d20000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 4439 start_va = 0x16d0000 end_va = 0x188ffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 4440 start_va = 0x1890000 end_va = 0x1a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001890000" filename = "" Region: id = 4441 start_va = 0x1890000 end_va = 0x1a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001890000" filename = "" Region: id = 4442 start_va = 0x1a60000 end_va = 0x1a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a60000" filename = "" Region: id = 4450 start_va = 0x16d0000 end_va = 0x17cffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 4451 start_va = 0x1850000 end_va = 0x188ffff entry_point = 0x0 region_type = private name = "private_0x0000000001850000" filename = "" Region: id = 4454 start_va = 0x1280000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 4455 start_va = 0x1650000 end_va = 0x168ffff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 4456 start_va = 0x1690000 end_va = 0x16cffff entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 4457 start_va = 0x1930000 end_va = 0x196ffff entry_point = 0x0 region_type = private name = "private_0x0000000001930000" filename = "" Region: id = 4458 start_va = 0x1a00000 end_va = 0x1a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 4459 start_va = 0x7ffa5000 end_va = 0x7ffa5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa5000" filename = "" Region: id = 4460 start_va = 0x7ffa6000 end_va = 0x7ffa6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Region: id = 4469 start_va = 0x18a0000 end_va = 0x18dffff entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 4470 start_va = 0x1b00000 end_va = 0x1b3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 4471 start_va = 0x7ffa4000 end_va = 0x7ffa4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa4000" filename = "" Region: id = 4472 start_va = 0x7ffa7000 end_va = 0x7ffa7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 4473 start_va = 0x1b40000 end_va = 0x1cfffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 4474 start_va = 0x1b40000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 4475 start_va = 0x1cc0000 end_va = 0x1cfffff entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 4476 start_va = 0x1b40000 end_va = 0x1c3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b40000" filename = "" Region: id = 4477 start_va = 0x1c40000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 4478 start_va = 0xe80000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 4479 start_va = 0x70bf0000 end_va = 0x70c1bfff entry_point = 0x70bf0000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 4480 start_va = 0x70bd0000 end_va = 0x70beafff entry_point = 0x70bd0000 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 4481 start_va = 0x1a70000 end_va = 0x1aaffff entry_point = 0x0 region_type = private name = "private_0x0000000001a70000" filename = "" Region: id = 4482 start_va = 0x70b60000 end_va = 0x70bc6fff entry_point = 0x70b60000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 4483 start_va = 0x7ffa3000 end_va = 0x7ffa3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa3000" filename = "" Region: id = 4484 start_va = 0x1d00000 end_va = 0x1e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 4485 start_va = 0x71390000 end_va = 0x714a5fff entry_point = 0x71390000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 4486 start_va = 0x71380000 end_va = 0x7138ffff entry_point = 0x71380000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 4487 start_va = 0x73ba0000 end_va = 0x73baefff entry_point = 0x73ba0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4488 start_va = 0x1d00000 end_va = 0x1dfffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 4489 start_va = 0x1e20000 end_va = 0x1e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 4490 start_va = 0x749f0000 end_va = 0x749fdfff entry_point = 0x749f0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 4491 start_va = 0x70b50000 end_va = 0x70b51fff entry_point = 0x70b50000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 4492 start_va = 0x1510000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 4493 start_va = 0x7ffa2000 end_va = 0x7ffa2fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa2000" filename = "" Region: id = 4494 start_va = 0x70b40000 end_va = 0x70b55fff entry_point = 0x70b40000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 4495 start_va = 0x1980000 end_va = 0x19bffff entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 4496 start_va = 0x1e30000 end_va = 0x1e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 4497 start_va = 0x7ffa0000 end_va = 0x7ffa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa0000" filename = "" Region: id = 4498 start_va = 0x7ffa1000 end_va = 0x7ffa1fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa1000" filename = "" Region: id = 4499 start_va = 0x70a70000 end_va = 0x70b31fff entry_point = 0x70a70000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 4500 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4501 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4502 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4503 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4504 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4505 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4506 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4507 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4508 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4509 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4510 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4511 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4512 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4513 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4514 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4515 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4516 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4517 start_va = 0x70a20000 end_va = 0x70a63fff entry_point = 0x70a20000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 4518 start_va = 0x70c50000 end_va = 0x70ce5fff entry_point = 0x70c50000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 4519 start_va = 0x70c30000 end_va = 0x70c47fff entry_point = 0x70c30000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 4520 start_va = 0x1e70000 end_va = 0x201ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 4521 start_va = 0x1190000 end_va = 0x11cffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 4522 start_va = 0x70a10000 end_va = 0x70a15fff entry_point = 0x70a10000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 4523 start_va = 0x7ffa2000 end_va = 0x7ffa2fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa2000" filename = "" Region: id = 4524 start_va = 0x709d0000 end_va = 0x70a0afff entry_point = 0x709d0000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 4525 start_va = 0x75010000 end_va = 0x75020fff entry_point = 0x75010000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 4526 start_va = 0x709b0000 end_va = 0x709c3fff entry_point = 0x709b0000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 4527 start_va = 0x709a0000 end_va = 0x709aefff entry_point = 0x709a0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 4528 start_va = 0x1d30000 end_va = 0x1d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 4529 start_va = 0x1df0000 end_va = 0x1dfffff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 4530 start_va = 0x7ff9f000 end_va = 0x7ff9ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff9f000" filename = "" Region: id = 4534 start_va = 0x1ef0000 end_va = 0x1f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 4535 start_va = 0x1fe0000 end_va = 0x201ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fe0000" filename = "" Region: id = 4536 start_va = 0x7ff9e000 end_va = 0x7ff9efff entry_point = 0x0 region_type = private name = "private_0x000000007ff9e000" filename = "" Region: id = 4537 start_va = 0x1f40000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 4538 start_va = 0x70950000 end_va = 0x70999fff entry_point = 0x70950000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 4539 start_va = 0x7ff9d000 end_va = 0x7ff9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ff9d000" filename = "" Region: id = 4540 start_va = 0x70c20000 end_va = 0x70c29fff entry_point = 0x70c20000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 4541 start_va = 0x74ca0000 end_va = 0x74ce3fff entry_point = 0x74ca0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4542 start_va = 0x2020000 end_va = 0x212ffff entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 4544 start_va = 0x1ab0000 end_va = 0x1aeffff entry_point = 0x0 region_type = private name = "private_0x0000000001ab0000" filename = "" Region: id = 4545 start_va = 0x7ff9c000 end_va = 0x7ff9cfff entry_point = 0x0 region_type = private name = "private_0x000000007ff9c000" filename = "" Region: id = 4546 start_va = 0x70930000 end_va = 0x70946fff entry_point = 0x70930000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 4547 start_va = 0x708e0000 end_va = 0x7092bfff entry_point = 0x708e0000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 4548 start_va = 0x71d10000 end_va = 0x71d1cfff entry_point = 0x71d10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4549 start_va = 0x71cf0000 end_va = 0x71d01fff entry_point = 0x71cf0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4550 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4551 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4557 start_va = 0x708d0000 end_va = 0x708d5fff entry_point = 0x708d0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4607 start_va = 0x1eb0000 end_va = 0x1eeffff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 4608 start_va = 0x70870000 end_va = 0x708c9fff entry_point = 0x70870000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4609 start_va = 0x7ff9b000 end_va = 0x7ff9bfff entry_point = 0x0 region_type = private name = "private_0x000000007ff9b000" filename = "" Region: id = 4631 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4632 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4737 start_va = 0x2130000 end_va = 0x222ffff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 4766 start_va = 0x2230000 end_va = 0x242ffff entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 4795 start_va = 0x70590000 end_va = 0x70597fff entry_point = 0x70590000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4816 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4818 start_va = 0x2430000 end_va = 0x282ffff entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 4884 start_va = 0x1da0000 end_va = 0x1ddffff entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 4885 start_va = 0x1fa0000 end_va = 0x1fdffff entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 4886 start_va = 0x7ff99000 end_va = 0x7ff99fff entry_point = 0x0 region_type = private name = "private_0x000000007ff99000" filename = "" Region: id = 4887 start_va = 0x7ff9a000 end_va = 0x7ff9afff entry_point = 0x0 region_type = private name = "private_0x000000007ff9a000" filename = "" Region: id = 4926 start_va = 0x2830000 end_va = 0x302ffff entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 4932 start_va = 0x2020000 end_va = 0x205ffff entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 4933 start_va = 0x20f0000 end_va = 0x212ffff entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 4934 start_va = 0x7ff98000 end_va = 0x7ff98fff entry_point = 0x0 region_type = private name = "private_0x000000007ff98000" filename = "" Region: id = 4936 start_va = 0x17d0000 end_va = 0x180ffff entry_point = 0x0 region_type = private name = "private_0x00000000017d0000" filename = "" Region: id = 4937 start_va = 0x7ff97000 end_va = 0x7ff97fff entry_point = 0x0 region_type = private name = "private_0x000000007ff97000" filename = "" Region: id = 5011 start_va = 0xa80000 end_va = 0xa90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 5012 start_va = 0x1c80000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 5013 start_va = 0x20a0000 end_va = 0x20dffff entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 5014 start_va = 0x3050000 end_va = 0x308ffff entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 5015 start_va = 0x3160000 end_va = 0x319ffff entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 5016 start_va = 0x7ff93000 end_va = 0x7ff93fff entry_point = 0x0 region_type = private name = "private_0x000000007ff93000" filename = "" Region: id = 5017 start_va = 0x7ff94000 end_va = 0x7ff94fff entry_point = 0x0 region_type = private name = "private_0x000000007ff94000" filename = "" Region: id = 5018 start_va = 0x7ff95000 end_va = 0x7ff95fff entry_point = 0x0 region_type = private name = "private_0x000000007ff95000" filename = "" Region: id = 5019 start_va = 0x7ff96000 end_va = 0x7ff96fff entry_point = 0x0 region_type = private name = "private_0x000000007ff96000" filename = "" Region: id = 5076 start_va = 0x31a0000 end_va = 0x416ffff entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 5098 start_va = 0x70230000 end_va = 0x702b0fff entry_point = 0x70230000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 5099 start_va = 0x703f0000 end_va = 0x703fefff entry_point = 0x703f0000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 5105 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 5106 start_va = 0x30d0000 end_va = 0x310ffff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 5107 start_va = 0x7ff92000 end_va = 0x7ff92fff entry_point = 0x0 region_type = private name = "private_0x000000007ff92000" filename = "" Region: id = 5108 start_va = 0x70340000 end_va = 0x70395fff entry_point = 0x70340000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 5109 start_va = 0x41e0000 end_va = 0x421ffff entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 5110 start_va = 0x7ff91000 end_va = 0x7ff91fff entry_point = 0x0 region_type = private name = "private_0x000000007ff91000" filename = "" Region: id = 5111 start_va = 0x3120000 end_va = 0x315ffff entry_point = 0x0 region_type = private name = "private_0x0000000003120000" filename = "" Region: id = 5112 start_va = 0x7ff90000 end_va = 0x7ff90fff entry_point = 0x0 region_type = private name = "private_0x000000007ff90000" filename = "" Region: id = 5114 start_va = 0x42d0000 end_va = 0x430ffff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 5115 start_va = 0x7ff8f000 end_va = 0x7ff8ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff8f000" filename = "" Region: id = 5116 start_va = 0x4290000 end_va = 0x42cffff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 5117 start_va = 0x3090000 end_va = 0x30cffff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 5118 start_va = 0x1400000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 5119 start_va = 0x43a0000 end_va = 0x43dffff entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 5121 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 5122 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 5123 start_va = 0x4290000 end_va = 0x42cffff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 5124 start_va = 0x1810000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 5125 start_va = 0x4270000 end_va = 0x42affff entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 5126 start_va = 0x3090000 end_va = 0x30cffff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 5127 start_va = 0xa30000 end_va = 0xa30fff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 5128 start_va = 0xa30000 end_va = 0xa30fff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 5129 start_va = 0x43a0000 end_va = 0x43dffff entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 5130 start_va = 0x4340000 end_va = 0x437ffff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 5131 start_va = 0x4340000 end_va = 0x437ffff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 5132 start_va = 0x1400000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 5134 start_va = 0x4270000 end_va = 0x42affff entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 5135 start_va = 0x4320000 end_va = 0x435ffff entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 5136 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 5137 start_va = 0x1400000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 5138 start_va = 0x4340000 end_va = 0x437ffff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 5139 start_va = 0x3090000 end_va = 0x30cffff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 5140 start_va = 0x4180000 end_va = 0x41bffff entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 5141 start_va = 0x1e70000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5142 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 5143 start_va = 0x4270000 end_va = 0x42affff entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 5161 start_va = 0x4310000 end_va = 0x440ffff entry_point = 0x0 region_type = private name = "private_0x0000000004310000" filename = "" Region: id = 5163 start_va = 0x4480000 end_va = 0x44bffff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 5164 start_va = 0x1810000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 5165 start_va = 0x4480000 end_va = 0x44bffff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 5166 start_va = 0x4230000 end_va = 0x426ffff entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 5194 start_va = 0x41a0000 end_va = 0x41dffff entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 5195 start_va = 0x4290000 end_va = 0x42cffff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 5196 start_va = 0x4460000 end_va = 0x449ffff entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 5197 start_va = 0x4230000 end_va = 0x426ffff entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 5198 start_va = 0x41a0000 end_va = 0x41dffff entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 5199 start_va = 0x4230000 end_va = 0x426ffff entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 5200 start_va = 0x1810000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 5201 start_va = 0x4230000 end_va = 0x426ffff entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 5210 start_va = 0x44a0000 end_va = 0x44dffff entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 5211 start_va = 0x4480000 end_va = 0x44bffff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 5212 start_va = 0x1e70000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5213 start_va = 0x1400000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 5214 start_va = 0x4270000 end_va = 0x42affff entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 5215 start_va = 0x4230000 end_va = 0x426ffff entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 5216 start_va = 0x1810000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 5217 start_va = 0x41a0000 end_va = 0x41dffff entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 5218 start_va = 0x1400000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 5219 start_va = 0x4290000 end_va = 0x42cffff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 5220 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 5221 start_va = 0x41a0000 end_va = 0x41dffff entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 5222 start_va = 0x4290000 end_va = 0x42cffff entry_point = 0x0 region_type = private name = "private_0x0000000004290000" filename = "" Region: id = 5223 start_va = 0x4440000 end_va = 0x447ffff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 5224 start_va = 0x4440000 end_va = 0x447ffff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 5225 start_va = 0x4420000 end_va = 0x445ffff entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 5228 start_va = 0x1400000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 5229 start_va = 0x4180000 end_va = 0x41bffff entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 5230 start_va = 0x1e70000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5231 start_va = 0x44a0000 end_va = 0x44dffff entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 5232 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 5233 start_va = 0x3090000 end_va = 0x30cffff entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 5234 start_va = 0x4480000 end_va = 0x44bffff entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 5235 start_va = 0x4440000 end_va = 0x447ffff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 5236 start_va = 0x4250000 end_va = 0x428ffff entry_point = 0x0 region_type = private name = "private_0x0000000004250000" filename = "" Region: id = 5237 start_va = 0x4180000 end_va = 0x41bffff entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 5238 start_va = 0x44a0000 end_va = 0x44dffff entry_point = 0x0 region_type = private name = "private_0x00000000044a0000" filename = "" Region: id = 5239 start_va = 0x4230000 end_va = 0x426ffff entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 5293 start_va = 0x1400000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 5294 start_va = 0x7ff8e000 end_va = 0x7ff8efff entry_point = 0x0 region_type = private name = "private_0x000000007ff8e000" filename = "" Region: id = 5332 start_va = 0xa30000 end_va = 0xa3bfff entry_point = 0xa30000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 5333 start_va = 0xa80000 end_va = 0xa83fff entry_point = 0xa80000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 5337 start_va = 0xa30000 end_va = 0xa3bfff entry_point = 0xa30000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 5338 start_va = 0xa80000 end_va = 0xa83fff entry_point = 0xa80000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Thread: id = 261 os_tid = 0x350 Thread: id = 264 os_tid = 0x35c Thread: id = 268 os_tid = 0x36c Thread: id = 269 os_tid = 0x370 Thread: id = 270 os_tid = 0x374 Thread: id = 274 os_tid = 0x384 Thread: id = 286 os_tid = 0x3b8 Thread: id = 288 os_tid = 0x3c0 Thread: id = 292 os_tid = 0x3d0 Thread: id = 296 os_tid = 0x3e4 Thread: id = 297 os_tid = 0x3e8 Thread: id = 314 os_tid = 0x42c Thread: id = 315 os_tid = 0x430 Thread: id = 316 os_tid = 0x434 Thread: id = 324 os_tid = 0x458 Thread: id = 353 os_tid = 0x4e0 Thread: id = 356 os_tid = 0x4ec Thread: id = 361 os_tid = 0x500 Thread: id = 367 os_tid = 0x488 Thread: id = 368 os_tid = 0x48c Thread: id = 369 os_tid = 0x518 Thread: id = 370 os_tid = 0x51c Thread: id = 375 os_tid = 0x534 Thread: id = 447 os_tid = 0x668 Thread: id = 450 os_tid = 0x670 Thread: id = 451 os_tid = 0x674 Thread: id = 452 os_tid = 0x678 Thread: id = 453 os_tid = 0x67c Thread: id = 454 os_tid = 0x680 Thread: id = 457 os_tid = 0x68c Thread: id = 458 os_tid = 0x690 Thread: id = 459 os_tid = 0x694 Thread: id = 460 os_tid = 0x698 Thread: id = 461 os_tid = 0x69c Thread: id = 463 os_tid = 0x6a4 Thread: id = 465 os_tid = 0x6ac Thread: id = 466 os_tid = 0x6b0 Thread: id = 470 os_tid = 0x6c0 Thread: id = 473 os_tid = 0x6cc Thread: id = 506 os_tid = 0x75c Thread: id = 507 os_tid = 0x760 Thread: id = 513 os_tid = 0x778 Thread: id = 514 os_tid = 0x77c Thread: id = 515 os_tid = 0x780 Thread: id = 516 os_tid = 0x784 Thread: id = 519 os_tid = 0x790 Thread: id = 526 os_tid = 0x7ac Thread: id = 530 os_tid = 0x7bc Thread: id = 531 os_tid = 0x7c0 Thread: id = 532 os_tid = 0x7c4 Thread: id = 533 os_tid = 0x7c8 Thread: id = 541 os_tid = 0x7f0 Process: id = "26" image_name = "audiodg.exe" filename = "c:\\windows\\system32\\audiodg.exe" page_root = "0x7f1fa1e0" os_pid = "0x394" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0x2a8" cmd_line = "C:\\Windows\\system32\\AUDIODG.EXE 0x2e0" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xe], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000af09" [0xc000000f], "LOCAL" [0x7] Region: id = 2593 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2594 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2595 start_va = 0x5e0000 end_va = 0x5fdfff entry_point = 0x5e0000 region_type = mapped_file name = "audiodg.exe" filename = "\\Windows\\System32\\audiodg.exe" (normalized: "c:\\windows\\system32\\audiodg.exe") Region: id = 2596 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2597 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2598 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2599 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 2600 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 2601 start_va = 0x150000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2602 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2603 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2604 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2605 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 2606 start_va = 0x20000 end_va = 0x86fff entry_point = 0x20000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2607 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2608 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2609 start_va = 0x73e40000 end_va = 0x73e78fff entry_point = 0x73e40000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2610 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2611 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2612 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2613 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2614 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2615 start_va = 0x74190000 end_va = 0x74284fff entry_point = 0x74190000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2616 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2617 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2618 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2619 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2620 start_va = 0xc0000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2621 start_va = 0x150000 end_va = 0x217fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2622 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2623 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2624 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2625 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2626 start_va = 0x220000 end_va = 0x320fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 2627 start_va = 0x430000 end_va = 0x4affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 2628 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 2629 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 2630 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0xb0000 region_type = mapped_file name = "audiodg.exe.mui" filename = "\\Windows\\System32\\en-US\\audiodg.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\audiodg.exe.mui") Region: id = 2631 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2632 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2633 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2634 start_va = 0x4b0000 end_va = 0x50bfff entry_point = 0x4b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2635 start_va = 0x4b0000 end_va = 0x50bfff entry_point = 0x4b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2636 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2639 start_va = 0x6e0000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 2640 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2641 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 2646 start_va = 0x74730000 end_va = 0x74750fff entry_point = 0x74730000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2647 start_va = 0x77370000 end_va = 0x773b4fff entry_point = 0x77370000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2648 start_va = 0x640000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2649 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 2653 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2654 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2655 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2656 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2657 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2658 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2659 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2660 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2661 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2662 start_va = 0x720000 end_va = 0x9eefff entry_point = 0x720000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2663 start_va = 0xa50000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 2664 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 2665 start_va = 0xaa0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 2666 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Thread: id = 278 os_tid = 0x398 Thread: id = 279 os_tid = 0x39c Thread: id = 281 os_tid = 0x3a4 Thread: id = 283 os_tid = 0x3ac Thread: id = 284 os_tid = 0x3b0 Process: id = "27" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa200" os_pid = "0x3d8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d4ea" [0xc000000f], "LOCAL" [0x7] Region: id = 2753 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2754 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2755 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2756 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2757 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2758 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2759 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2760 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 2761 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 2762 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2765 start_va = 0x90000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2766 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2767 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2768 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2769 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 2770 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2771 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2772 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2773 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2774 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2775 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2776 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2777 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2778 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2779 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2780 start_va = 0x240000 end_va = 0x307fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 2781 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2782 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2783 start_va = 0x90000 end_va = 0xacfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2784 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2785 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2786 start_va = 0x310000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 2787 start_va = 0x420000 end_va = 0x49ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2788 start_va = 0x90000 end_va = 0x96fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 2789 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 2790 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 2791 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2792 start_va = 0x4a0000 end_va = 0x892fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 2793 start_va = 0x8a0000 end_va = 0x8fbfff entry_point = 0x8a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2794 start_va = 0x8a0000 end_va = 0x8fbfff entry_point = 0x8a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2795 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2797 start_va = 0x8a0000 end_va = 0x8dffff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 2798 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 2994 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3006 start_va = 0x940000 end_va = 0x97ffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 3007 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3008 start_va = 0x900000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 3009 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3011 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 3012 start_va = 0xbe0000 end_va = 0xeaefff entry_point = 0xbe0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3013 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 3014 start_va = 0x735b0000 end_va = 0x735f6fff entry_point = 0x735b0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3015 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3016 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3017 start_va = 0x980000 end_va = 0x9bbfff entry_point = 0x980000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3018 start_va = 0x980000 end_va = 0x9bbfff entry_point = 0x980000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3019 start_va = 0x980000 end_va = 0x9bbfff entry_point = 0x980000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3020 start_va = 0x980000 end_va = 0x9bbfff entry_point = 0x980000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3021 start_va = 0x980000 end_va = 0x9bbfff entry_point = 0x980000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3022 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3023 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3050 start_va = 0x8e0000 end_va = 0x8e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 3051 start_va = 0x980000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 3052 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 3053 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3065 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 3066 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3067 start_va = 0x9c0000 end_va = 0xa3ffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 3270 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 3271 start_va = 0x72130000 end_va = 0x72137fff entry_point = 0x72130000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 3272 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 3273 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4078 start_va = 0xf00000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 4079 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 4080 start_va = 0x8f0000 end_va = 0x8fffff entry_point = 0x8f0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 4081 start_va = 0x752b0000 end_va = 0x7530efff entry_point = 0x752b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 4082 start_va = 0xa80000 end_va = 0xa83fff entry_point = 0xa80000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 4695 start_va = 0x1000000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 4696 start_va = 0x70850000 end_va = 0x70864fff entry_point = 0x70850000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4697 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 4727 start_va = 0xa90000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 4728 start_va = 0x707a0000 end_va = 0x7082ffff entry_point = 0x707a0000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 4729 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 4732 start_va = 0xad0000 end_va = 0xad1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 4733 start_va = 0x70730000 end_va = 0x70790fff entry_point = 0x70730000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 4738 start_va = 0x73e20000 end_va = 0x73e32fff entry_point = 0x73e20000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 4739 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 4740 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4741 start_va = 0x70710000 end_va = 0x70721fff entry_point = 0x70710000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 4742 start_va = 0x70700000 end_va = 0x70702fff entry_point = 0x70700000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 4743 start_va = 0x706f0000 end_va = 0x706fcfff entry_point = 0x706f0000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 4744 start_va = 0x74870000 end_va = 0x74878fff entry_point = 0x74870000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4745 start_va = 0x706a0000 end_va = 0x706ebfff entry_point = 0x706a0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 4746 start_va = 0x1040000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4748 start_va = 0x70870000 end_va = 0x708c9fff entry_point = 0x70870000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4749 start_va = 0x73750000 end_va = 0x7375ffff entry_point = 0x73750000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4750 start_va = 0xaf0000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 4756 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 4757 start_va = 0xba0000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 4758 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4759 start_va = 0x1160000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 4776 start_va = 0xa90000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 4777 start_va = 0x10e0000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 4778 start_va = 0x1120000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 4779 start_va = 0x70590000 end_va = 0x70597fff entry_point = 0x70590000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4780 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 4781 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 4792 start_va = 0x1280000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 4793 start_va = 0x12c0000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4794 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 4799 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4800 start_va = 0xb30000 end_va = 0xb8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 4808 start_va = 0x72230000 end_va = 0x7224bfff entry_point = 0x72230000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4809 start_va = 0x72220000 end_va = 0x72226fff entry_point = 0x72220000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4920 start_va = 0xb30000 end_va = 0xb30fff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 4921 start_va = 0xb80000 end_va = 0xb8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 4922 start_va = 0x1440000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 4923 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 4924 start_va = 0x749b0000 end_va = 0x749c5fff entry_point = 0x749b0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4943 start_va = 0xb30000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 4944 start_va = 0xeb0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 4945 start_va = 0x721c0000 end_va = 0x72217fff entry_point = 0x721c0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4946 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 4947 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 4948 start_va = 0x71820000 end_va = 0x7186efff entry_point = 0x71820000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4949 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4950 start_va = 0xf40000 end_va = 0xffffff entry_point = 0xf40000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4951 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4952 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4953 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4954 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4955 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4956 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4957 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4958 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4959 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4960 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 4961 start_va = 0x74ca0000 end_va = 0x74ce3fff entry_point = 0x74ca0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4962 start_va = 0x1480000 end_va = 0x15bffff entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 4963 start_va = 0x15c0000 end_va = 0x17affff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 4964 start_va = 0x703e0000 end_va = 0x703effff entry_point = 0x703e0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 4965 start_va = 0x703c0000 end_va = 0x703d1fff entry_point = 0x703c0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 4966 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4967 start_va = 0x703b0000 end_va = 0x703b7fff entry_point = 0x703b0000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 4968 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 4969 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 4970 start_va = 0x708d0000 end_va = 0x708d5fff entry_point = 0x708d0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4971 start_va = 0x71d20000 end_va = 0x71d57fff entry_point = 0x71d20000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4972 start_va = 0x15c0000 end_va = 0x171ffff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 4973 start_va = 0x17a0000 end_va = 0x17affff entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 5033 start_va = 0xb70000 end_va = 0xb71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 5157 start_va = 0xeb0000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 5158 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 5334 start_va = 0x15f0000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 5335 start_va = 0x16e0000 end_va = 0x171ffff entry_point = 0x0 region_type = private name = "private_0x00000000016e0000" filename = "" Region: id = 5336 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Thread: id = 294 os_tid = 0x3dc Thread: id = 295 os_tid = 0x3e0 Thread: id = 304 os_tid = 0x404 Thread: id = 305 os_tid = 0x408 Thread: id = 306 os_tid = 0x40c Thread: id = 310 os_tid = 0x41c Thread: id = 313 os_tid = 0x428 Thread: id = 333 os_tid = 0x484 Thread: id = 424 os_tid = 0x60c Thread: id = 481 os_tid = 0x6f4 Thread: id = 485 os_tid = 0x70c Thread: id = 488 os_tid = 0x718 Thread: id = 493 os_tid = 0x72c Thread: id = 494 os_tid = 0x730 Thread: id = 497 os_tid = 0x73c Thread: id = 511 os_tid = 0x770 Thread: id = 517 os_tid = 0x788 Thread: id = 518 os_tid = 0x78c Thread: id = 534 os_tid = 0x7cc Thread: id = 542 os_tid = 0x7f4 Process: id = "28" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x7f1fa220" os_pid = "0x438" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x234" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c567" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3080 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3081 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3082 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 3083 start_va = 0xeb0000 end_va = 0xeb4fff entry_point = 0xeb0000 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 3084 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3085 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3086 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3087 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 3088 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3089 start_va = 0x170000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3090 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3091 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3092 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3093 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 3094 start_va = 0x40000 end_va = 0xa6fff entry_point = 0x40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3095 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3096 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3097 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3098 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3099 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3100 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3101 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3102 start_va = 0x310000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 3103 start_va = 0xb0000 end_va = 0xccfff entry_point = 0xb0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3104 start_va = 0x3e0000 end_va = 0x4a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 3105 start_va = 0xb0000 end_va = 0xccfff entry_point = 0xb0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3106 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3107 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3108 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3109 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 3110 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3111 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3112 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 3113 start_va = 0x180000 end_va = 0x1dbfff entry_point = 0x180000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3114 start_va = 0x180000 end_va = 0x1dbfff entry_point = 0x180000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3115 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3116 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3117 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3118 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3119 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3120 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3121 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3122 start_va = 0x690000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 3123 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3124 start_va = 0x720000 end_va = 0x75ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 3125 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3126 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 3127 start_va = 0x1a0000 end_va = 0x1dbfff entry_point = 0x1a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3128 start_va = 0x1a0000 end_va = 0x1dbfff entry_point = 0x1a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3129 start_va = 0x1a0000 end_va = 0x1dbfff entry_point = 0x1a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3130 start_va = 0x1a0000 end_va = 0x1dbfff entry_point = 0x1a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3131 start_va = 0x1a0000 end_va = 0x1dbfff entry_point = 0x1a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3132 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3133 start_va = 0x760000 end_va = 0xa2efff entry_point = 0x760000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3134 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3135 start_va = 0x5f0000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 3136 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3137 start_va = 0x310000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 3138 start_va = 0x3d0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3139 start_va = 0xab0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 3140 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 3141 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3142 start_va = 0x742b0000 end_va = 0x742cdfff entry_point = 0x742b0000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 3143 start_va = 0x72190000 end_va = 0x72213fff entry_point = 0x72190000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 3144 start_va = 0xaf0000 end_va = 0xc7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 3145 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3146 start_va = 0x749d0000 end_va = 0x749e6fff entry_point = 0x749d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3147 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3150 start_va = 0x74290000 end_va = 0x742a1fff entry_point = 0x74290000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3151 start_va = 0x758f0000 end_va = 0x76539fff entry_point = 0x758f0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3152 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3153 start_va = 0x74730000 end_va = 0x74750fff entry_point = 0x74730000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3154 start_va = 0x77370000 end_va = 0x773b4fff entry_point = 0x77370000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3158 start_va = 0x72180000 end_va = 0x7218dfff entry_point = 0x72180000 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Thread: id = 317 os_tid = 0x43c Thread: id = 318 os_tid = 0x440 Thread: id = 319 os_tid = 0x444 Thread: id = 320 os_tid = 0x448 Thread: id = 321 os_tid = 0x44c Thread: id = 322 os_tid = 0x450 Thread: id = 323 os_tid = 0x454 Process: id = "29" image_name = "dwm.exe" filename = "c:\\windows\\system32\\dwm.exe" page_root = "0x7f1fa240" os_pid = "0x468" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x32c" cmd_line = "\"C:\\Windows\\system32\\Dwm.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000da77" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3204 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3205 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3206 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3207 start_va = 0xea0000 end_va = 0xeb9fff entry_point = 0xea0000 region_type = mapped_file name = "dwm.exe" filename = "\\Windows\\System32\\dwm.exe" (normalized: "c:\\windows\\system32\\dwm.exe") Region: id = 3208 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3209 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3210 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3211 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 3212 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3216 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3232 start_va = 0x150000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3233 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3234 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3235 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3236 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 3237 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3238 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3239 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3240 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3241 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3242 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3243 start_va = 0x74150000 end_va = 0x7418ffff entry_point = 0x74150000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3244 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3245 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3246 start_va = 0x72150000 end_va = 0x7216afff entry_point = 0x72150000 region_type = mapped_file name = "dwmredir.dll" filename = "\\Windows\\System32\\dwmredir.dll" (normalized: "c:\\windows\\system32\\dwmredir.dll") Region: id = 3265 start_va = 0x71f70000 end_va = 0x720c0fff entry_point = 0x71f70000 region_type = mapped_file name = "dwmcore.dll" filename = "\\Windows\\System32\\dwmcore.dll" (normalized: "c:\\windows\\system32\\dwmcore.dll") Region: id = 3274 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3275 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3276 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3277 start_va = 0x73cf0000 end_va = 0x73deafff entry_point = 0x73cf0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 3278 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3279 start_va = 0x72100000 end_va = 0x7212bfff entry_point = 0x72100000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 3283 start_va = 0x71ed0000 end_va = 0x71f09fff entry_point = 0x71ed0000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 3285 start_va = 0x71e40000 end_va = 0x71ec2fff entry_point = 0x71e40000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 3286 start_va = 0x74870000 end_va = 0x74878fff entry_point = 0x74870000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3287 start_va = 0x73e20000 end_va = 0x73e32fff entry_point = 0x73e20000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3288 start_va = 0x76560000 end_va = 0x76564fff entry_point = 0x76560000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 3289 start_va = 0x2b0000 end_va = 0x377fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3290 start_va = 0x380000 end_va = 0x480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 3291 start_va = 0xec0000 end_va = 0x1abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 3292 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3293 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3294 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3295 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3296 start_va = 0xf0000 end_va = 0xfffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3297 start_va = 0x490000 end_va = 0x882fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 3298 start_va = 0x890000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 3299 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3300 start_va = 0x910000 end_va = 0x9eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 3301 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3302 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3303 start_va = 0xb20000 end_va = 0xb5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 3304 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 3305 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3306 start_va = 0xae0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 3307 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3308 start_va = 0x890000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 3309 start_va = 0x8d0000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 3310 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3311 start_va = 0x738f0000 end_va = 0x73914fff entry_point = 0x738f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3312 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3313 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3314 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3315 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3316 start_va = 0x738f0000 end_va = 0x73914fff entry_point = 0x738f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3317 start_va = 0xb60000 end_va = 0xe2efff entry_point = 0xb60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3318 start_va = 0x755a0000 end_va = 0x755ccfff entry_point = 0x755a0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3319 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3320 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3321 start_va = 0x9f0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 3322 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3325 start_va = 0x1ac0000 end_va = 0x1b3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Thread: id = 328 os_tid = 0x46c Thread: id = 334 os_tid = 0x494 Thread: id = 336 os_tid = 0x498 Thread: id = 337 os_tid = 0x49c Thread: id = 338 os_tid = 0x4a0 Thread: id = 538 os_tid = 0x7e0 Thread: id = 539 os_tid = 0x7e4 Process: id = "30" image_name = "slui.exe" filename = "c:\\windows\\system32\\slui.exe" page_root = "0x7f1fa260" os_pid = "0x470" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0x17c" cmd_line = "\"C:\\Windows\\system32\\slui.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000da77" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3221 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3222 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3223 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3224 start_va = 0x620000 end_va = 0x672fff entry_point = 0x620000 region_type = mapped_file name = "slui.exe" filename = "\\Windows\\System32\\slui.exe" (normalized: "c:\\windows\\system32\\slui.exe") Region: id = 3225 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3226 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3227 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3228 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3229 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3231 start_va = 0x40000 end_va = 0x42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3247 start_va = 0x190000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3248 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3249 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3250 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3251 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 3252 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3253 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3254 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3255 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3256 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3257 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3258 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3259 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3260 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3284 start_va = 0x71f10000 end_va = 0x71f67fff entry_point = 0x71f10000 region_type = mapped_file name = "sppcommdlg.dll" filename = "\\Windows\\System32\\sppcommdlg.dll" (normalized: "c:\\windows\\system32\\sppcommdlg.dll") Region: id = 3374 start_va = 0x20000 end_va = 0x21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3375 start_va = 0x742d0000 end_va = 0x7446dfff entry_point = 0x742d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 3376 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3377 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3378 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3379 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3380 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3381 start_va = 0x758f0000 end_va = 0x76539fff entry_point = 0x758f0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3382 start_va = 0x73ce0000 end_va = 0x73ce6fff entry_point = 0x73ce0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 3383 start_va = 0x73610000 end_va = 0x73619fff entry_point = 0x73610000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 3394 start_va = 0x71dd0000 end_va = 0x71df0fff entry_point = 0x71dd0000 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 3421 start_va = 0x370000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 3422 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3423 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 3424 start_va = 0x370000 end_va = 0x470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 3425 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 3426 start_va = 0x680000 end_va = 0x127ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 3451 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3452 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3453 start_va = 0xe0000 end_va = 0xe2fff entry_point = 0xe0000 region_type = mapped_file name = "slui.exe.mui" filename = "\\Windows\\System32\\en-US\\slui.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\slui.exe.mui") Region: id = 3456 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3457 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3458 start_va = 0x110000 end_va = 0x110fff entry_point = 0x110000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 3459 start_va = 0x120000 end_va = 0x121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 3478 start_va = 0x480000 end_va = 0x4dbfff entry_point = 0x480000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3479 start_va = 0x480000 end_va = 0x4dbfff entry_point = 0x480000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3480 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3481 start_va = 0x74150000 end_va = 0x7418ffff entry_point = 0x74150000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3482 start_va = 0x1280000 end_va = 0x139ffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3490 start_va = 0x480000 end_va = 0x55efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 3493 start_va = 0x12c0000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 3494 start_va = 0x1360000 end_va = 0x139ffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 3495 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 3497 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3498 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 3499 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3500 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 3501 start_va = 0x14a0000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 3502 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3503 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3504 start_va = 0x570000 end_va = 0x5abfff entry_point = 0x570000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3505 start_va = 0x570000 end_va = 0x5abfff entry_point = 0x570000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3506 start_va = 0x570000 end_va = 0x5abfff entry_point = 0x570000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3507 start_va = 0x570000 end_va = 0x5abfff entry_point = 0x570000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3508 start_va = 0x570000 end_va = 0x5abfff entry_point = 0x570000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3509 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3510 start_va = 0x14e0000 end_va = 0x17aefff entry_point = 0x14e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3511 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3522 start_va = 0x570000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3523 start_va = 0x5b0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3524 start_va = 0x17e0000 end_va = 0x181ffff entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 3525 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 3526 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 3527 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3528 start_va = 0x18b0000 end_va = 0x18effff entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 3529 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3530 start_va = 0x1440000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 3531 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 3538 start_va = 0x71b00000 end_va = 0x71b32fff entry_point = 0x71b00000 region_type = mapped_file name = "sppcomapi.dll" filename = "\\Windows\\System32\\sppcomapi.dll" (normalized: "c:\\windows\\system32\\sppcomapi.dll") Region: id = 3541 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 3629 start_va = 0x71990000 end_va = 0x71aa2fff entry_point = 0x71990000 region_type = mapped_file name = "sppcext.dll" filename = "\\Windows\\System32\\sppcext.dll" (normalized: "c:\\windows\\system32\\sppcext.dll") Region: id = 3749 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3750 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3796 start_va = 0x71950000 end_va = 0x71972fff entry_point = 0x71950000 region_type = mapped_file name = "winscard.dll" filename = "\\Windows\\System32\\WinSCard.dll" (normalized: "c:\\windows\\system32\\winscard.dll") Region: id = 3815 start_va = 0x721c0000 end_va = 0x72217fff entry_point = 0x721c0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 3816 start_va = 0x71820000 end_va = 0x7186efff entry_point = 0x71820000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 3817 start_va = 0x73aa0000 end_va = 0x73af1fff entry_point = 0x73aa0000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 3818 start_va = 0x73a80000 end_va = 0x73a94fff entry_point = 0x73a80000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 3819 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3820 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3821 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3822 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3823 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3869 start_va = 0x72180000 end_va = 0x721b1fff entry_point = 0x72180000 region_type = mapped_file name = "tapi32.dll" filename = "\\Windows\\System32\\tapi32.dll" (normalized: "c:\\windows\\system32\\tapi32.dll") Region: id = 3928 start_va = 0x71550000 end_va = 0x7178ffff entry_point = 0x71550000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 3979 start_va = 0x71540000 end_va = 0x71546fff entry_point = 0x71540000 region_type = mapped_file name = "slwga.dll" filename = "\\Windows\\System32\\slwga.dll" (normalized: "c:\\windows\\system32\\slwga.dll") Region: id = 3984 start_va = 0x73cd0000 end_va = 0x73cdcfff entry_point = 0x73cd0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3985 start_va = 0x74470000 end_va = 0x74567fff entry_point = 0x74470000 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 3986 start_va = 0x5f0000 end_va = 0x5f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 3990 start_va = 0x18f0000 end_va = 0x19effff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 4329 start_va = 0x600000 end_va = 0x601fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 4330 start_va = 0x19f0000 end_va = 0x1de2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019f0000" filename = "" Region: id = 4345 start_va = 0x610000 end_va = 0x61dfff entry_point = 0x610000 region_type = mapped_file name = "sppcomapi.dll" filename = "\\Windows\\System32\\sppcomapi.dll" (normalized: "c:\\windows\\system32\\sppcomapi.dll") Region: id = 4346 start_va = 0x752b0000 end_va = 0x7530efff entry_point = 0x752b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 4356 start_va = 0x1280000 end_va = 0x1283fff entry_point = 0x1280000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Thread: id = 329 os_tid = 0x474 Thread: id = 358 os_tid = 0x4f4 Thread: id = 359 os_tid = 0x4f8 Thread: id = 362 os_tid = 0x504 Thread: id = 363 os_tid = 0x508 Thread: id = 364 os_tid = 0x50c Thread: id = 365 os_tid = 0x510 Thread: id = 366 os_tid = 0x514 Process: id = "31" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa280" os_pid = "0x4a8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000f065" [0xc000000f], "LOCAL" [0x7] Region: id = 3326 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3327 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3328 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3329 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3330 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3331 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3332 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3333 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 3334 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3335 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3339 start_va = 0x150000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3340 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3341 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3342 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3343 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 3344 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3345 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3346 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3347 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3348 start_va = 0x150000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3349 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 3350 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3351 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3352 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3353 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3354 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3355 start_va = 0x150000 end_va = 0x217fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 3356 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 3357 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3358 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3359 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3360 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3361 start_va = 0x400000 end_va = 0x500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3362 start_va = 0x510000 end_va = 0x58ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 3363 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3364 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3365 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3366 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3367 start_va = 0x220000 end_va = 0x27bfff entry_point = 0x220000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3368 start_va = 0x590000 end_va = 0x982fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 3369 start_va = 0x220000 end_va = 0x27bfff entry_point = 0x220000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3370 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3390 start_va = 0xa20000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 3391 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3393 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3398 start_va = 0x240000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3399 start_va = 0x2a0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3400 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3401 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 3403 start_va = 0xaa0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 3404 start_va = 0xaf0000 end_va = 0xdbefff entry_point = 0xaf0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3405 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3406 start_va = 0x71d60000 end_va = 0x71d82fff entry_point = 0x71d60000 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 3407 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3408 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3409 start_va = 0x74ca0000 end_va = 0x74ce3fff entry_point = 0x74ca0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3410 start_va = 0x72220000 end_va = 0x72226fff entry_point = 0x72220000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3411 start_va = 0xdc0000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 3412 start_va = 0x71d20000 end_va = 0x71d57fff entry_point = 0x71d20000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3413 start_va = 0xf00000 end_va = 0x10dffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 3414 start_va = 0x720e0000 end_va = 0x720e4fff entry_point = 0x720e0000 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 3415 start_va = 0x749d0000 end_va = 0x749e6fff entry_point = 0x749d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3416 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3417 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 3418 start_va = 0xec0000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 3419 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 3420 start_va = 0x749b0000 end_va = 0x749c5fff entry_point = 0x749b0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3433 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 3434 start_va = 0xf10000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 3435 start_va = 0x10a0000 end_va = 0x10dffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 3436 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 3437 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3438 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3439 start_va = 0xe30000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 3440 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3441 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 3442 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3443 start_va = 0x72230000 end_va = 0x7224bfff entry_point = 0x72230000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3444 start_va = 0x71d10000 end_va = 0x71d1cfff entry_point = 0x71d10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3445 start_va = 0x71cf0000 end_va = 0x71d01fff entry_point = 0x71cf0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3454 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3476 start_va = 0xf70000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 3828 start_va = 0xf50000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 3829 start_va = 0x10e0000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 3830 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3957 start_va = 0xfd0000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 3958 start_va = 0x10f0000 end_va = 0x112ffff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 3959 start_va = 0x1250000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 3960 start_va = 0x71520000 end_va = 0x71536fff entry_point = 0x71520000 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 3961 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 3962 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3963 start_va = 0x73bc0000 end_va = 0x73bc8fff entry_point = 0x73bc0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3964 start_va = 0x74ef0000 end_va = 0x74f1afff entry_point = 0x74ef0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 3965 start_va = 0x1130000 end_va = 0x122ffff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 3970 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3971 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3972 start_va = 0xa60000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 3980 start_va = 0x1030000 end_va = 0x106ffff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 3981 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 3987 start_va = 0x1380000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 3988 start_va = 0x714e0000 end_va = 0x71503fff entry_point = 0x714e0000 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 3989 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 3991 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3992 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3993 start_va = 0x12a0000 end_va = 0x12dffff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 3994 start_va = 0x1310000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 3995 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 3996 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 4000 start_va = 0x71390000 end_va = 0x714a5fff entry_point = 0x71390000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 4001 start_va = 0x73680000 end_va = 0x73693fff entry_point = 0x73680000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 4002 start_va = 0x71380000 end_va = 0x7138ffff entry_point = 0x71380000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 4003 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4004 start_va = 0x73ba0000 end_va = 0x73baefff entry_point = 0x73ba0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4005 start_va = 0x74290000 end_va = 0x742a1fff entry_point = 0x74290000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4006 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4007 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4008 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4009 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4010 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4011 start_va = 0x990000 end_va = 0x9cbfff entry_point = 0x990000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4012 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4068 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 4069 start_va = 0x1260000 end_va = 0x129ffff entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 4070 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4071 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4072 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 4073 start_va = 0x735b0000 end_va = 0x735f6fff entry_point = 0x735b0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 4076 start_va = 0x74190000 end_va = 0x74284fff entry_point = 0x74190000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4210 start_va = 0x990000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 4215 start_va = 0x71150000 end_va = 0x7118dfff entry_point = 0x71150000 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 4216 start_va = 0x74fc0000 end_va = 0x75001fff entry_point = 0x74fc0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4217 start_va = 0x712b0000 end_va = 0x712d7fff entry_point = 0x712b0000 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 4218 start_va = 0x721c0000 end_va = 0x72217fff entry_point = 0x721c0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4219 start_va = 0x71820000 end_va = 0x7186efff entry_point = 0x71820000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4220 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4221 start_va = 0x12e0000 end_va = 0x140ffff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 4249 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 4250 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4251 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4252 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4253 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4254 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4255 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4256 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4257 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4258 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4259 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 4260 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4261 start_va = 0x1410000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 4264 start_va = 0x12e0000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 4265 start_va = 0x1400000 end_va = 0x140ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 4266 start_va = 0x1410000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 4267 start_va = 0x1560000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 4268 start_va = 0x71270000 end_va = 0x7127cfff entry_point = 0x71270000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 4320 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 4321 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 4322 start_va = 0x15a0000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 4323 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 4324 start_va = 0x73bb0000 end_va = 0x73bbefff entry_point = 0x73bb0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4325 start_va = 0x1680000 end_va = 0x16bffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 4326 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 4371 start_va = 0x10e0000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 4372 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 4373 start_va = 0x74f30000 end_va = 0x74f46fff entry_point = 0x74f30000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4374 start_va = 0x74b00000 end_va = 0x74b3cfff entry_point = 0x74b00000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4543 start_va = 0x990000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 4823 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 4832 start_va = 0x1610000 end_va = 0x164ffff entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 4833 start_va = 0x73cd0000 end_va = 0x73cdcfff entry_point = 0x73cd0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4834 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 4835 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4837 start_va = 0x1520000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 4838 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 4939 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 4940 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 4941 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4942 start_va = 0x16c0000 end_va = 0x177ffff entry_point = 0x16c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 340 os_tid = 0x4ac Thread: id = 341 os_tid = 0x4b0 Thread: id = 344 os_tid = 0x4bc Thread: id = 345 os_tid = 0x4c0 Thread: id = 346 os_tid = 0x4c4 Thread: id = 347 os_tid = 0x4c8 Thread: id = 350 os_tid = 0x4d4 Thread: id = 351 os_tid = 0x4d8 Thread: id = 352 os_tid = 0x4dc Thread: id = 354 os_tid = 0x4e4 Thread: id = 355 os_tid = 0x4e8 Thread: id = 357 os_tid = 0x4f0 Thread: id = 360 os_tid = 0x4fc Thread: id = 403 os_tid = 0x5b0 Thread: id = 408 os_tid = 0x5c4 Thread: id = 412 os_tid = 0x5d4 Thread: id = 414 os_tid = 0x5dc Thread: id = 415 os_tid = 0x5e4 Thread: id = 422 os_tid = 0x604 Thread: id = 428 os_tid = 0x61c Thread: id = 432 os_tid = 0x62c Thread: id = 434 os_tid = 0x634 Thread: id = 435 os_tid = 0x638 Thread: id = 436 os_tid = 0x63c Thread: id = 449 os_tid = 0x5e0 Thread: id = 501 os_tid = 0x74c Thread: id = 502 os_tid = 0x750 Process: id = "32" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x7f1fa2a0" os_pid = "0x52c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000fdce" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3549 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3550 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3551 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3552 start_va = 0xf70000 end_va = 0xfbffff entry_point = 0xf70000 region_type = mapped_file name = "spoolsv.exe" filename = "\\Windows\\System32\\spoolsv.exe" (normalized: "c:\\windows\\system32\\spoolsv.exe") Region: id = 3553 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3554 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3555 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3556 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 3557 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3560 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3561 start_va = 0x110000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3568 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3569 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3570 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3571 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 3572 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3573 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3574 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3575 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3576 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3577 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3578 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3579 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3580 start_va = 0x738f0000 end_va = 0x73914fff entry_point = 0x738f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3581 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3582 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3583 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3584 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3585 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3586 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3587 start_va = 0x74ca0000 end_va = 0x74ce3fff entry_point = 0x74ca0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3588 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3589 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3590 start_va = 0x370000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 3591 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 3592 start_va = 0x1e0000 end_va = 0x1fcfff entry_point = 0x1e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3593 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 3594 start_va = 0x1e0000 end_va = 0x1fcfff entry_point = 0x1e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3595 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3596 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3597 start_va = 0x370000 end_va = 0x470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 3598 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3599 start_va = 0xfc0000 end_va = 0x1bbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 3600 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3601 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3602 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3603 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3604 start_va = 0x4f0000 end_va = 0x8e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 3605 start_va = 0x8f0000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 3616 start_va = 0xa30000 end_va = 0xa6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3617 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3618 start_va = 0x9b0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 3619 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 3622 start_va = 0x200000 end_va = 0x25bfff entry_point = 0x200000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3623 start_va = 0x4a0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 3624 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3625 start_va = 0x200000 end_va = 0x25bfff entry_point = 0x200000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3626 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3627 start_va = 0xa70000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 3628 start_va = 0xbf0000 end_va = 0xd6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 3660 start_va = 0x910000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 3661 start_va = 0x960000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 3662 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3663 start_va = 0x73610000 end_va = 0x73619fff entry_point = 0x73610000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 3664 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3682 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3683 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3684 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3685 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3686 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3687 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3688 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3689 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3690 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3691 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3692 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3693 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3694 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3695 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Thread: id = 374 os_tid = 0x530 Thread: id = 377 os_tid = 0x53c Thread: id = 378 os_tid = 0x540 Thread: id = 379 os_tid = 0x544 Thread: id = 382 os_tid = 0x554 Thread: id = 385 os_tid = 0x560 Process: id = "33" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x7f1fa2c0" os_pid = "0x548" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000da77" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3630 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3631 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3632 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3633 start_va = 0xfa0000 end_va = 0xfaefff entry_point = 0xfa0000 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 3634 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3635 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3636 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3637 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 3638 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3641 start_va = 0x210000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3642 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3643 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3644 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3645 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 3646 start_va = 0x40000 end_va = 0xa6fff entry_point = 0x40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3647 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3648 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3649 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3650 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3651 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3652 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3653 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3654 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3655 start_va = 0x210000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3656 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 3665 start_va = 0xb0000 end_va = 0x177fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 3666 start_va = 0x180000 end_va = 0x19cfff entry_point = 0x180000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3667 start_va = 0x180000 end_va = 0x19cfff entry_point = 0x180000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3668 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3669 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3670 start_va = 0x210000 end_va = 0x310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 3671 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 3672 start_va = 0xfb0000 end_va = 0x1baffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fb0000" filename = "" Region: id = 3673 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3674 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3675 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3676 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 3677 start_va = 0x4e0000 end_va = 0x8d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 3678 start_va = 0x360000 end_va = 0x3bbfff entry_point = 0x360000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3679 start_va = 0x360000 end_va = 0x3bbfff entry_point = 0x360000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3680 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3681 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3696 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 3697 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3698 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3699 start_va = 0xa80000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 3700 start_va = 0x74150000 end_va = 0x7418ffff entry_point = 0x74150000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3701 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 3702 start_va = 0xac0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 3713 start_va = 0x990000 end_va = 0xa6efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 3714 start_va = 0x73e20000 end_va = 0x73e32fff entry_point = 0x73e20000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3715 start_va = 0x910000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 3716 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3751 start_va = 0xb30000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 3752 start_va = 0xca0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 3753 start_va = 0xce0000 end_va = 0xe3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 3754 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3755 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3756 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 3757 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 3758 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3759 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 3762 start_va = 0x71980000 end_va = 0x71988fff entry_point = 0x71980000 region_type = mapped_file name = "hotstartuseragent.dll" filename = "\\Windows\\System32\\HotStartUserAgent.dll" (normalized: "c:\\windows\\system32\\hotstartuseragent.dll") Region: id = 3804 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 3805 start_va = 0x718c0000 end_va = 0x718c7fff entry_point = 0x718c0000 region_type = mapped_file name = "msctfmonitor.dll" filename = "\\Windows\\System32\\MsCtfMonitor.dll" (normalized: "c:\\windows\\system32\\msctfmonitor.dll") Region: id = 3806 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3807 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 3808 start_va = 0x71890000 end_va = 0x718bbfff entry_point = 0x71890000 region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 3809 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 3810 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3811 start_va = 0x73cd0000 end_va = 0x73cdcfff entry_point = 0x73cd0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3812 start_va = 0x71870000 end_va = 0x71885fff entry_point = 0x71870000 region_type = mapped_file name = "playsndsrv.dll" filename = "\\Windows\\System32\\PlaySndSrv.dll" (normalized: "c:\\windows\\system32\\playsndsrv.dll") Region: id = 3826 start_va = 0xc60000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 3827 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 3840 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3841 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3842 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3843 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3844 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3845 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3846 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3847 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3848 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3849 start_va = 0x360000 end_va = 0x3b4fff entry_point = 0x360000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 3850 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3851 start_va = 0x320000 end_va = 0x33efff entry_point = 0x320000 region_type = mapped_file name = "sptip.dll" filename = "\\Windows\\IME\\SPTIP.DLL" (normalized: "c:\\windows\\ime\\sptip.dll") Region: id = 3852 start_va = 0x360000 end_va = 0x3affff entry_point = 0x360000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3853 start_va = 0x360000 end_va = 0x3affff entry_point = 0x360000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3854 start_va = 0x360000 end_va = 0x3affff entry_point = 0x360000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3855 start_va = 0x360000 end_va = 0x3affff entry_point = 0x360000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3859 start_va = 0x360000 end_va = 0x3affff entry_point = 0x360000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3860 start_va = 0x360000 end_va = 0x3affff entry_point = 0x360000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3861 start_va = 0x360000 end_va = 0x3affff entry_point = 0x360000 region_type = mapped_file name = "tabletextservice.dll" filename = "\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll") Region: id = 3862 start_va = 0x360000 end_va = 0x3b4fff entry_point = 0x360000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 3863 start_va = 0x360000 end_va = 0x391fff entry_point = 0x360000 region_type = mapped_file name = "input.dll" filename = "\\Windows\\System32\\input.dll" (normalized: "c:\\windows\\system32\\input.dll") Region: id = 3864 start_va = 0xce0000 end_va = 0xd9ffff entry_point = 0xce0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3865 start_va = 0xe00000 end_va = 0xe3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 3866 start_va = 0x320000 end_va = 0x321fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 3870 start_va = 0xb80000 end_va = 0xbbffff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 3871 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3872 start_va = 0x330000 end_va = 0x331fff entry_point = 0x330000 region_type = mapped_file name = "msutb.dll.mui" filename = "\\Windows\\System32\\en-US\\msutb.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msutb.dll.mui") Region: id = 3873 start_va = 0xe40000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 3874 start_va = 0x360000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 4225 start_va = 0x340000 end_va = 0x340fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 4226 start_va = 0x380000 end_va = 0x380fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 4227 start_va = 0x73610000 end_va = 0x73619fff entry_point = 0x73610000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 4262 start_va = 0x1c30000 end_va = 0x1c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 4263 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4367 start_va = 0x1bf0000 end_va = 0x1c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bf0000" filename = "" Region: id = 4368 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 4994 start_va = 0xdb0000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 4995 start_va = 0x703a0000 end_va = 0x703aafff entry_point = 0x703a0000 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 4996 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4997 start_va = 0x736a0000 end_va = 0x7371cfff entry_point = 0x736a0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4998 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 5070 start_va = 0x1c30000 end_va = 0x1d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 5144 start_va = 0x70870000 end_va = 0x708c9fff entry_point = 0x70870000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 5145 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5146 start_va = 0x73750000 end_va = 0x7375ffff entry_point = 0x73750000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 5147 start_va = 0x1d30000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 5148 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5149 start_va = 0x390000 end_va = 0x3cbfff entry_point = 0x390000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5150 start_va = 0x390000 end_va = 0x3cbfff entry_point = 0x390000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5151 start_va = 0x390000 end_va = 0x3cbfff entry_point = 0x390000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5152 start_va = 0x390000 end_va = 0x3cbfff entry_point = 0x390000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5153 start_va = 0x390000 end_va = 0x3cbfff entry_point = 0x390000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5154 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5155 start_va = 0x1df0000 end_va = 0x20befff entry_point = 0x1df0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5192 start_va = 0xac0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 5193 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 5209 start_va = 0x70590000 end_va = 0x70597fff entry_point = 0x70590000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 5250 start_va = 0x70220000 end_va = 0x7022cfff entry_point = 0x70220000 region_type = mapped_file name = "pautoenr.dll" filename = "\\Windows\\System32\\pautoenr.dll" (normalized: "c:\\windows\\system32\\pautoenr.dll") Region: id = 5282 start_va = 0x390000 end_va = 0x392fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 5283 start_va = 0x77370000 end_va = 0x773b4fff entry_point = 0x77370000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 5284 start_va = 0x746d0000 end_va = 0x74725fff entry_point = 0x746d0000 region_type = mapped_file name = "certcli.dll" filename = "\\Windows\\System32\\certcli.dll" (normalized: "c:\\windows\\system32\\certcli.dll") Region: id = 5286 start_va = 0xe60000 end_va = 0xe9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 5287 start_va = 0xef0000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 5288 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 5350 start_va = 0x73680000 end_va = 0x73693fff entry_point = 0x73680000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 5351 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 5352 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 5357 start_va = 0x74560000 end_va = 0x746a7fff entry_point = 0x74560000 region_type = mapped_file name = "certenroll.dll" filename = "\\Windows\\System32\\CertEnroll.dll" (normalized: "c:\\windows\\system32\\certenroll.dll") Region: id = 5449 start_va = 0x73fa0000 end_va = 0x73fd1fff entry_point = 0x73fa0000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Thread: id = 380 os_tid = 0x54c Thread: id = 384 os_tid = 0x55c Thread: id = 386 os_tid = 0x564 Thread: id = 388 os_tid = 0x570 Thread: id = 389 os_tid = 0x574 Thread: id = 390 os_tid = 0x578 Thread: id = 395 os_tid = 0x58c Thread: id = 397 os_tid = 0x594 Thread: id = 398 os_tid = 0x598 Thread: id = 399 os_tid = 0x5a0 Thread: id = 431 os_tid = 0x628 Thread: id = 438 os_tid = 0x644 Thread: id = 523 os_tid = 0x7a8 Thread: id = 535 os_tid = 0x7d0 Thread: id = 540 os_tid = 0x7ec Process: id = "34" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa2e0" os_pid = "0x568" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00010346" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Region: id = 3703 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3704 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3705 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3706 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3707 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3708 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3709 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3710 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3711 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3712 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3717 start_va = 0x130000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 3718 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3719 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3720 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3721 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 3722 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3723 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3724 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3725 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3726 start_va = 0x380000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 3727 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3728 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3729 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3730 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3731 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3732 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3733 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 3734 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 3735 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3736 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3737 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3738 start_va = 0x200000 end_va = 0x27ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 3739 start_va = 0x380000 end_va = 0x480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 3740 start_va = 0x540000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 3741 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3742 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3743 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3744 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3745 start_va = 0x490000 end_va = 0x4ebfff entry_point = 0x490000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3746 start_va = 0x550000 end_va = 0x942fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 3747 start_va = 0x490000 end_va = 0x4ebfff entry_point = 0x490000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3748 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3760 start_va = 0xa10000 end_va = 0xa4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 3761 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 3765 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3782 start_va = 0x4f0000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3783 start_va = 0xb40000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 3784 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3785 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 3792 start_va = 0x9a0000 end_va = 0x9dffff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 3793 start_va = 0xb80000 end_va = 0xe4efff entry_point = 0xb80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3794 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 3795 start_va = 0x718d0000 end_va = 0x7194dfff entry_point = 0x718d0000 region_type = mapped_file name = "bfe.dll" filename = "\\Windows\\System32\\BFE.DLL" (normalized: "c:\\windows\\system32\\bfe.dll") Region: id = 3797 start_va = 0x74f90000 end_va = 0x74faafff entry_point = 0x74f90000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3798 start_va = 0x73610000 end_va = 0x73619fff entry_point = 0x73610000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 3800 start_va = 0xe50000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 3801 start_va = 0xf70000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 3802 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 3803 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3839 start_va = 0xfb0000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 3857 start_va = 0x74980000 end_va = 0x7498afff entry_point = 0x74980000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 3858 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3875 start_va = 0x10c0000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 3876 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3918 start_va = 0x1120000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 3919 start_va = 0x71790000 end_va = 0x7181cfff entry_point = 0x71790000 region_type = mapped_file name = "mpssvc.dll" filename = "\\Windows\\System32\\MPSSVC.dll" (normalized: "c:\\windows\\system32\\mpssvc.dll") Region: id = 3922 start_va = 0x74880000 end_va = 0x748f5fff entry_point = 0x74880000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3923 start_va = 0x74870000 end_va = 0x74878fff entry_point = 0x74870000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3924 start_va = 0x71d20000 end_va = 0x71d57fff entry_point = 0x71d20000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3925 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3926 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3927 start_va = 0x1160000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 3929 start_va = 0x490000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 3930 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 3931 start_va = 0x4d0000 end_va = 0x4ebfff entry_point = 0x4d0000 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 3932 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3933 start_va = 0xa60000 end_va = 0xa9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 3934 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 3935 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 3936 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3937 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 3938 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3939 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3940 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3941 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3942 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3943 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3944 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3945 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3946 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3947 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3948 start_va = 0x74ad0000 end_va = 0x74ad7fff entry_point = 0x74ad0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3949 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3950 start_va = 0xe50000 end_va = 0xe8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 3951 start_va = 0xec0000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 3952 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 3953 start_va = 0x749d0000 end_va = 0x749e6fff entry_point = 0x749d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3954 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3955 start_va = 0x749b0000 end_va = 0x749c5fff entry_point = 0x749b0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3956 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3966 start_va = 0x72230000 end_va = 0x7224bfff entry_point = 0x72230000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3967 start_va = 0x72220000 end_va = 0x72226fff entry_point = 0x72220000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3968 start_va = 0x1100000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3969 start_va = 0x71d10000 end_va = 0x71d1cfff entry_point = 0x71d10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3973 start_va = 0x71cf0000 end_va = 0x71d01fff entry_point = 0x71cf0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3974 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3975 start_va = 0x71510000 end_va = 0x71515fff entry_point = 0x71510000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 3976 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3977 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3982 start_va = 0x9d0000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 3983 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 3997 start_va = 0x1390000 end_va = 0x13cffff entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 3998 start_va = 0x714b0000 end_va = 0x714d4fff entry_point = 0x714b0000 region_type = mapped_file name = "dps.dll" filename = "\\Windows\\System32\\dps.dll" (normalized: "c:\\windows\\system32\\dps.dll") Region: id = 3999 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 4023 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4024 start_va = 0x950000 end_va = 0x950fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 4025 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4026 start_va = 0x960000 end_va = 0x960fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 4027 start_va = 0x736a0000 end_va = 0x7371cfff entry_point = 0x736a0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4060 start_va = 0x13e0000 end_va = 0x141ffff entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 4061 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 4062 start_va = 0x1280000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 4063 start_va = 0x12c0000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4064 start_va = 0x1470000 end_va = 0x14affff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 4065 start_va = 0x71370000 end_va = 0x71377fff entry_point = 0x71370000 region_type = mapped_file name = "wfapigp.dll" filename = "\\Windows\\System32\\wfapigp.dll" (normalized: "c:\\windows\\system32\\wfapigp.dll") Region: id = 4066 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 4067 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 4083 start_va = 0x1500000 end_va = 0x153ffff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 4084 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 4089 start_va = 0x970000 end_va = 0x970fff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 4094 start_va = 0x970000 end_va = 0x970fff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 4095 start_va = 0x970000 end_va = 0x977fff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 4097 start_va = 0x980000 end_va = 0x983fff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 4098 start_va = 0x990000 end_va = 0x993fff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 4099 start_va = 0x9a0000 end_va = 0x9a3fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4100 start_va = 0x9b0000 end_va = 0x9b0fff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 4101 start_va = 0x9c0000 end_va = 0x9c1fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 4102 start_va = 0xa50000 end_va = 0xa50fff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 4103 start_va = 0xaa0000 end_va = 0xaa0fff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 4104 start_va = 0xab0000 end_va = 0xab0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 4105 start_va = 0xac0000 end_va = 0xac0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 4106 start_va = 0xad0000 end_va = 0xad0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 4107 start_va = 0xb30000 end_va = 0xb30fff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 4108 start_va = 0xe90000 end_va = 0xe90fff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 4109 start_va = 0xea0000 end_va = 0xea0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 4110 start_va = 0xeb0000 end_va = 0xeb0fff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 4111 start_va = 0xf00000 end_va = 0xf00fff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 4112 start_va = 0xf10000 end_va = 0xf10fff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 4113 start_va = 0xf20000 end_va = 0xf20fff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 4114 start_va = 0x71260000 end_va = 0x712d8fff entry_point = 0x71260000 region_type = mapped_file name = "mscms.dll" filename = "\\Windows\\System32\\mscms.dll" (normalized: "c:\\windows\\system32\\mscms.dll") Region: id = 4120 start_va = 0x71110000 end_va = 0x71188fff entry_point = 0x71110000 region_type = mapped_file name = "mscms.dll" filename = "\\Windows\\System32\\mscms.dll" (normalized: "c:\\windows\\system32\\mscms.dll") Region: id = 4121 start_va = 0x712b0000 end_va = 0x712d7fff entry_point = 0x712b0000 region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 4211 start_va = 0x71160000 end_va = 0x71187fff entry_point = 0x71160000 region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 4212 start_va = 0x712b0000 end_va = 0x712d7fff entry_point = 0x712b0000 region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 4213 start_va = 0x71160000 end_va = 0x71187fff entry_point = 0x71160000 region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 4214 start_va = 0xf40000 end_va = 0xf45fff entry_point = 0xf40000 region_type = mapped_file name = "snmptrap.exe" filename = "\\Windows\\System32\\snmptrap.exe" (normalized: "c:\\windows\\system32\\snmptrap.exe") Region: id = 4234 start_va = 0xf30000 end_va = 0xf30fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 4235 start_va = 0x72140000 end_va = 0x72147fff entry_point = 0x72140000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 4236 start_va = 0x72140000 end_va = 0x72147fff entry_point = 0x72140000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 4237 start_va = 0x72140000 end_va = 0x72147fff entry_point = 0x72140000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 4238 start_va = 0x72140000 end_va = 0x72147fff entry_point = 0x72140000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 4239 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4240 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4241 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4242 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4243 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4244 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4245 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4246 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4247 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4248 start_va = 0x71e00000 end_va = 0x71e3ffff entry_point = 0x71e00000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4269 start_va = 0x74730000 end_va = 0x74750fff entry_point = 0x74730000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4270 start_va = 0x77370000 end_va = 0x773b4fff entry_point = 0x77370000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 4271 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4272 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4273 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4274 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4275 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4276 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4277 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4278 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4279 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4280 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4281 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4282 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4283 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4284 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4285 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4286 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4287 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4288 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4289 start_va = 0x71260000 end_va = 0x71261fff entry_point = 0x71260000 region_type = mapped_file name = "servicemodelevents.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ServiceModelEvents.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\servicemodelevents.dll") Region: id = 4290 start_va = 0xf40000 end_va = 0xf4afff entry_point = 0xf40000 region_type = mapped_file name = "servicemodelevents.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\en-US\\ServiceModelEvents.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\en-us\\servicemodelevents.dll.mui") Region: id = 4291 start_va = 0x71140000 end_va = 0x71141fff entry_point = 0x71140000 region_type = mapped_file name = "servicemodelevents.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ServiceModelEvents.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\servicemodelevents.dll") Region: id = 4292 start_va = 0xf40000 end_va = 0xf4afff entry_point = 0xf40000 region_type = mapped_file name = "servicemodelevents.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\en-US\\ServiceModelEvents.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\en-us\\servicemodelevents.dll.mui") Region: id = 4293 start_va = 0x710a0000 end_va = 0x71144fff entry_point = 0x710a0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4294 start_va = 0x70ff0000 end_va = 0x71094fff entry_point = 0x70ff0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4295 start_va = 0x710a0000 end_va = 0x71144fff entry_point = 0x710a0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4296 start_va = 0x70ff0000 end_va = 0x71094fff entry_point = 0x70ff0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4297 start_va = 0x710a0000 end_va = 0x71144fff entry_point = 0x710a0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4298 start_va = 0x70ff0000 end_va = 0x71094fff entry_point = 0x70ff0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4299 start_va = 0x710a0000 end_va = 0x71144fff entry_point = 0x710a0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4300 start_va = 0x70ff0000 end_va = 0x71094fff entry_point = 0x70ff0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4301 start_va = 0x710a0000 end_va = 0x71144fff entry_point = 0x710a0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4302 start_va = 0x70ff0000 end_va = 0x71094fff entry_point = 0x70ff0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4303 start_va = 0x710a0000 end_va = 0x71144fff entry_point = 0x710a0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4304 start_va = 0x70ff0000 end_va = 0x71094fff entry_point = 0x70ff0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4305 start_va = 0x710a0000 end_va = 0x71144fff entry_point = 0x710a0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4306 start_va = 0x70ff0000 end_va = 0x71094fff entry_point = 0x70ff0000 region_type = mapped_file name = "peerdistsh.dll" filename = "\\Windows\\System32\\PeerDistSh.dll" (normalized: "c:\\windows\\system32\\peerdistsh.dll") Region: id = 4307 start_va = 0x71120000 end_va = 0x7114afff entry_point = 0x71120000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4308 start_va = 0x710f0000 end_va = 0x7111afff entry_point = 0x710f0000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4309 start_va = 0x71120000 end_va = 0x7114afff entry_point = 0x71120000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4310 start_va = 0x710f0000 end_va = 0x7111afff entry_point = 0x710f0000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4311 start_va = 0x71120000 end_va = 0x7114afff entry_point = 0x71120000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4312 start_va = 0x710f0000 end_va = 0x7111afff entry_point = 0x710f0000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4313 start_va = 0x71120000 end_va = 0x7114afff entry_point = 0x71120000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4314 start_va = 0x710f0000 end_va = 0x7111afff entry_point = 0x710f0000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 4315 start_va = 0x74cf0000 end_va = 0x74d7bfff entry_point = 0x74cf0000 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 4316 start_va = 0x74cf0000 end_va = 0x74d7bfff entry_point = 0x74cf0000 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 4317 start_va = 0x71130000 end_va = 0x71148fff entry_point = 0x71130000 region_type = mapped_file name = "sstpsvc.dll" filename = "\\Windows\\System32\\sstpsvc.dll" (normalized: "c:\\windows\\system32\\sstpsvc.dll") Region: id = 4318 start_va = 0x71110000 end_va = 0x71128fff entry_point = 0x71110000 region_type = mapped_file name = "sstpsvc.dll" filename = "\\Windows\\System32\\sstpsvc.dll" (normalized: "c:\\windows\\system32\\sstpsvc.dll") Region: id = 4319 start_va = 0x1540000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 4333 start_va = 0x74f30000 end_va = 0x74f46fff entry_point = 0x74f30000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4334 start_va = 0x1330000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 4335 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 4336 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4337 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4338 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4339 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4340 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4341 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4342 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4343 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4344 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4347 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4348 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4349 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4350 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4351 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4352 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4353 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4354 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4355 start_va = 0xf40000 end_va = 0xf52fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4357 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4358 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4359 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4360 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4361 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4362 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 4707 start_va = 0xa60000 end_va = 0xa60fff entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 4708 start_va = 0xa70000 end_va = 0xa70fff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 4709 start_va = 0xa80000 end_va = 0xa80fff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 4710 start_va = 0x1650000 end_va = 0x168ffff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 4711 start_va = 0x70850000 end_va = 0x70864fff entry_point = 0x70850000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4747 start_va = 0x705c0000 end_va = 0x70695fff entry_point = 0x705c0000 region_type = mapped_file name = "diagperf.dll" filename = "\\Windows\\System32\\diagperf.dll" (normalized: "c:\\windows\\system32\\diagperf.dll") Region: id = 4755 start_va = 0x980000 end_va = 0x981fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 4762 start_va = 0xa80000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 4763 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 4767 start_va = 0xf30000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 4768 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 4769 start_va = 0x1790000 end_va = 0x17cffff entry_point = 0x0 region_type = private name = "private_0x0000000001790000" filename = "" Region: id = 4770 start_va = 0x705b0000 end_va = 0x705b5fff entry_point = 0x705b0000 region_type = mapped_file name = "pnpts.dll" filename = "\\Windows\\System32\\pnpts.dll" (normalized: "c:\\windows\\system32\\pnpts.dll") Region: id = 4771 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 4810 start_va = 0x1710000 end_va = 0x174ffff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 4811 start_va = 0x70580000 end_va = 0x70587fff entry_point = 0x70580000 region_type = mapped_file name = "pots.dll" filename = "\\Windows\\System32\\pots.dll" (normalized: "c:\\windows\\system32\\pots.dll") Region: id = 4812 start_va = 0x7ffa7000 end_va = 0x7ffa7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 4831 start_va = 0x704e0000 end_va = 0x70577fff entry_point = 0x704e0000 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 4845 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 4846 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4847 start_va = 0x990000 end_va = 0x991fff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 4848 start_va = 0x16c0000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 4849 start_va = 0x18d0000 end_va = 0x190ffff entry_point = 0x0 region_type = private name = "private_0x00000000018d0000" filename = "" Region: id = 4850 start_va = 0x7ffa5000 end_va = 0x7ffa5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa5000" filename = "" Region: id = 4851 start_va = 0x7ffa6000 end_va = 0x7ffa6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Region: id = 4852 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4853 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4854 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4855 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4856 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4857 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4858 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4859 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4860 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4861 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4862 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4863 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4864 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4865 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4866 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4867 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4868 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4869 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4870 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4871 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4872 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4873 start_va = 0x9a0000 end_va = 0x9b2fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 4874 start_va = 0x70870000 end_va = 0x708c9fff entry_point = 0x70870000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4875 start_va = 0x73750000 end_va = 0x7375ffff entry_point = 0x73750000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4876 start_va = 0x1910000 end_va = 0x1afffff entry_point = 0x0 region_type = private name = "private_0x0000000001910000" filename = "" Region: id = 4877 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4878 start_va = 0x1200000 end_va = 0x123bfff entry_point = 0x1200000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4879 start_va = 0x1200000 end_va = 0x123bfff entry_point = 0x1200000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4880 start_va = 0x1200000 end_va = 0x123bfff entry_point = 0x1200000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4881 start_va = 0x1200000 end_va = 0x123bfff entry_point = 0x1200000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4882 start_va = 0x1200000 end_va = 0x123bfff entry_point = 0x1200000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4883 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4888 start_va = 0x70410000 end_va = 0x70427fff entry_point = 0x70410000 region_type = mapped_file name = "radardt.dll" filename = "\\Windows\\System32\\radardt.dll" (normalized: "c:\\windows\\system32\\radardt.dll") Region: id = 4910 start_va = 0x73cd0000 end_va = 0x73cdcfff entry_point = 0x73cd0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4911 start_va = 0x1b00000 end_va = 0x1dfffff entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 4912 start_va = 0x1e00000 end_va = 0x2000fff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4913 start_va = 0x1810000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 4914 start_va = 0x70400000 end_va = 0x7040afff entry_point = 0x70400000 region_type = mapped_file name = "wdiasqmmodule.dll" filename = "\\Windows\\System32\\wdiasqmmodule.dll" (normalized: "c:\\windows\\system32\\wdiasqmmodule.dll") Region: id = 4915 start_va = 0x7ffa4000 end_va = 0x7ffa4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa4000" filename = "" Region: id = 4925 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 4927 start_va = 0x1930000 end_va = 0x196ffff entry_point = 0x0 region_type = private name = "private_0x0000000001930000" filename = "" Region: id = 4928 start_va = 0x1af0000 end_va = 0x1afffff entry_point = 0x0 region_type = private name = "private_0x0000000001af0000" filename = "" Region: id = 4929 start_va = 0x7ffa3000 end_va = 0x7ffa3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa3000" filename = "" Region: id = 4930 start_va = 0x9b0000 end_va = 0x9bcfff entry_point = 0x9b0000 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-power-events.dll") Region: id = 4931 start_va = 0x703f0000 end_va = 0x703fdfff entry_point = 0x703f0000 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll" filename = "\\Windows\\System32\\microsoft-windows-kernel-power-events.dll" (normalized: "c:\\windows\\system32\\microsoft-windows-kernel-power-events.dll") Region: id = 4935 start_va = 0x9c0000 end_va = 0x9c2fff entry_point = 0x9c0000 region_type = mapped_file name = "microsoft-windows-kernel-power-events.dll.mui" filename = "\\Windows\\System32\\en-US\\microsoft-windows-kernel-power-events.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\microsoft-windows-kernel-power-events.dll.mui") Region: id = 5008 start_va = 0x1a30000 end_va = 0x1a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a30000" filename = "" Region: id = 5009 start_va = 0x7ffa2000 end_va = 0x7ffa2fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa2000" filename = "" Region: id = 5010 start_va = 0x70590000 end_va = 0x70597fff entry_point = 0x70590000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Thread: id = 387 os_tid = 0x56c Thread: id = 391 os_tid = 0x57c Thread: id = 392 os_tid = 0x580 Thread: id = 393 os_tid = 0x584 Thread: id = 394 os_tid = 0x588 Thread: id = 396 os_tid = 0x590 Thread: id = 400 os_tid = 0x5a4 Thread: id = 402 os_tid = 0x5ac Thread: id = 404 os_tid = 0x5b4 Thread: id = 405 os_tid = 0x5b8 Thread: id = 406 os_tid = 0x5bc Thread: id = 407 os_tid = 0x5c0 Thread: id = 409 os_tid = 0x5c8 Thread: id = 416 os_tid = 0x5e8 Thread: id = 419 os_tid = 0x5f8 Thread: id = 420 os_tid = 0x5fc Thread: id = 421 os_tid = 0x600 Thread: id = 423 os_tid = 0x608 Thread: id = 437 os_tid = 0x640 Thread: id = 482 os_tid = 0x6f8 Thread: id = 489 os_tid = 0x71c Thread: id = 490 os_tid = 0x720 Thread: id = 491 os_tid = 0x724 Thread: id = 499 os_tid = 0x744 Thread: id = 504 os_tid = 0x758 Thread: id = 508 os_tid = 0x764 Thread: id = 509 os_tid = 0x768 Thread: id = 512 os_tid = 0x774 Thread: id = 527 os_tid = 0x7b0 Process: id = "35" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1fa220" os_pid = "0x5ec" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\FDResPub" [0xe], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\Mcx2Svc" [0xa], "NT SERVICE\\QWAVE" [0xa], "NT SERVICE\\SCardSvr" [0xa], "NT SERVICE\\SensrSvc" [0xa], "NT SERVICE\\SSDPSRV" [0xa], "NT SERVICE\\TBS" [0xa], "NT SERVICE\\upnphost" [0xa], "NT SERVICE\\wcncsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00011c23" [0xc000000f], "LOCAL" [0x7] Region: id = 4013 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4014 start_va = 0x30000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4015 start_va = 0x70000 end_va = 0x73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 4016 start_va = 0xae0000 end_va = 0xae7fff entry_point = 0xae0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4017 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4018 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4019 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4020 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 4021 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 4022 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 4028 start_va = 0x90000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4029 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4030 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4031 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4032 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 4033 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4034 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 4035 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4036 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4037 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4038 start_va = 0x210000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4039 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4040 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4041 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4042 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4043 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4044 start_va = 0x210000 end_va = 0x2d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 4045 start_va = 0x310000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4046 start_va = 0x2e0000 end_va = 0x2fcfff entry_point = 0x2e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4047 start_va = 0x2e0000 end_va = 0x2fcfff entry_point = 0x2e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4048 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4049 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4050 start_va = 0x320000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 4051 start_va = 0x430000 end_va = 0x4affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 4052 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4053 start_va = 0x100000 end_va = 0x101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 4054 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 4055 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 4056 start_va = 0x4b0000 end_va = 0x8a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 4057 start_va = 0x8b0000 end_va = 0x90bfff entry_point = 0x8b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4058 start_va = 0x8b0000 end_va = 0x90bfff entry_point = 0x8b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4059 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4074 start_va = 0x9b0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 4075 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 4077 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4085 start_va = 0x910000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 4086 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 4087 start_va = 0xb70000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4088 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 4090 start_va = 0xc20000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 4091 start_va = 0xc60000 end_va = 0xf2efff entry_point = 0xc60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4092 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 4093 start_va = 0x71360000 end_va = 0x71369fff entry_point = 0x71360000 region_type = mapped_file name = "fdrespub.dll" filename = "\\Windows\\System32\\FDResPub.dll" (normalized: "c:\\windows\\system32\\fdrespub.dll") Region: id = 4096 start_va = 0x712e0000 end_va = 0x71352fff entry_point = 0x712e0000 region_type = mapped_file name = "wsdapi.dll" filename = "\\Windows\\System32\\WSDApi.dll" (normalized: "c:\\windows\\system32\\wsdapi.dll") Region: id = 4115 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4116 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4117 start_va = 0x72230000 end_va = 0x7224bfff entry_point = 0x72230000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4118 start_va = 0x72220000 end_va = 0x72226fff entry_point = 0x72220000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4119 start_va = 0x71190000 end_va = 0x71251fff entry_point = 0x71190000 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 4122 start_va = 0x74880000 end_va = 0x748f5fff entry_point = 0x74880000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 4123 start_va = 0x74870000 end_va = 0x74878fff entry_point = 0x74870000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4124 start_va = 0x300000 end_va = 0x300fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 4125 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4126 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4127 start_va = 0x8b0000 end_va = 0x8b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 4128 start_va = 0x71280000 end_va = 0x712aafff entry_point = 0x71280000 region_type = mapped_file name = "fundisc.dll" filename = "\\Windows\\System32\\fundisc.dll" (normalized: "c:\\windows\\system32\\fundisc.dll") Region: id = 4222 start_va = 0x73680000 end_va = 0x73693fff entry_point = 0x73680000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 4223 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4224 start_va = 0x71d10000 end_va = 0x71d1cfff entry_point = 0x71d10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4228 start_va = 0x71cf0000 end_va = 0x71d01fff entry_point = 0x71cf0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4229 start_va = 0x74de0000 end_va = 0x74e1bfff entry_point = 0x74de0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4230 start_va = 0xf30000 end_va = 0x102ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 4231 start_va = 0x74dd0000 end_va = 0x74dd5fff entry_point = 0x74dd0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 4232 start_va = 0x71510000 end_va = 0x71515fff entry_point = 0x71510000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 4233 start_va = 0x74900000 end_va = 0x74904fff entry_point = 0x74900000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 4331 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 4332 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 4363 start_va = 0x721c0000 end_va = 0x72217fff entry_point = 0x721c0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4364 start_va = 0x71820000 end_va = 0x7186efff entry_point = 0x71820000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4365 start_va = 0x71260000 end_va = 0x7126afff entry_point = 0x71260000 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 4366 start_va = 0x74980000 end_va = 0x7498afff entry_point = 0x74980000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 4369 start_va = 0xb10000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 4370 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 4375 start_va = 0x73bb0000 end_va = 0x73bbefff entry_point = 0x73bb0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4376 start_va = 0x73bc0000 end_va = 0x73bc8fff entry_point = 0x73bc0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4377 start_va = 0x10b0000 end_va = 0x10effff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 4378 start_va = 0x70ff0000 end_va = 0x71147fff entry_point = 0x70ff0000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 4379 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 4380 start_va = 0x10f0000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 4381 start_va = 0x11a0000 end_va = 0x123ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 4382 start_va = 0x1240000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 4383 start_va = 0x12f0000 end_va = 0x13affff entry_point = 0x12f0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4384 start_va = 0x13b0000 end_va = 0x17affff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 4385 start_va = 0x8c0000 end_va = 0x8c0fff entry_point = 0x8c0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 4386 start_va = 0x8d0000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 4387 start_va = 0x17d0000 end_va = 0x180ffff entry_point = 0x0 region_type = private name = "private_0x00000000017d0000" filename = "" Region: id = 4388 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 4389 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4390 start_va = 0x950000 end_va = 0x98bfff entry_point = 0x950000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4391 start_va = 0x950000 end_va = 0x98bfff entry_point = 0x950000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4392 start_va = 0x950000 end_va = 0x98bfff entry_point = 0x950000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4393 start_va = 0x950000 end_va = 0x98bfff entry_point = 0x950000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4394 start_va = 0x950000 end_va = 0x98bfff entry_point = 0x950000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4395 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4396 start_va = 0x1260000 end_va = 0x129ffff entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 4397 start_va = 0x12b0000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 4398 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4399 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 4400 start_va = 0x1830000 end_va = 0x186ffff entry_point = 0x0 region_type = private name = "private_0x0000000001830000" filename = "" Region: id = 4401 start_va = 0x73df0000 end_va = 0x73e1efff entry_point = 0x73df0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 4402 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 4403 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 4765 start_va = 0xbf0000 end_va = 0xc2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Thread: id = 417 os_tid = 0x5f0 Thread: id = 418 os_tid = 0x5f4 Thread: id = 425 os_tid = 0x610 Thread: id = 426 os_tid = 0x614 Thread: id = 427 os_tid = 0x618 Thread: id = 433 os_tid = 0x630 Thread: id = 439 os_tid = 0x648 Thread: id = 440 os_tid = 0x64c Thread: id = 441 os_tid = 0x650 Thread: id = 442 os_tid = 0x654 Thread: id = 443 os_tid = 0x658 Thread: id = 444 os_tid = 0x65c Thread: id = 468 os_tid = 0x6b8 Thread: id = 492 os_tid = 0x728 Process: id = "36" image_name = "sppsvc.exe" filename = "c:\\windows\\system32\\sppsvc.exe" page_root = "0x7f1fa300" os_pid = "0x6d0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "C:\\Windows\\system32\\sppsvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\sppsvc" [0xe], "NT AUTHORITY\\Logon Session 00000000:00014700" [0xc000000f], "LOCAL" [0x7] Region: id = 4596 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4597 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4598 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4599 start_va = 0x540000 end_va = 0x84afff entry_point = 0x540000 region_type = mapped_file name = "sppsvc.exe" filename = "\\Windows\\System32\\sppsvc.exe" (normalized: "c:\\windows\\system32\\sppsvc.exe") Region: id = 4600 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4601 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4602 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4603 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4604 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 4606 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4610 start_va = 0xd0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 4611 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4612 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4613 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4614 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 4615 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4616 start_va = 0x1e0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4617 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4618 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4619 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4620 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4621 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4622 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4623 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4624 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4625 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4626 start_va = 0x2e0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 4627 start_va = 0x50000 end_va = 0x6cfff entry_point = 0x50000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4628 start_va = 0x2e0000 end_va = 0x3a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 4629 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4630 start_va = 0x50000 end_va = 0x6cfff entry_point = 0x50000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4633 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4634 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4635 start_va = 0x140000 end_va = 0x1bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 4636 start_va = 0x3b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 4637 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4638 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 4639 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4640 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 4641 start_va = 0x850000 end_va = 0xc42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 4647 start_va = 0x4d0000 end_va = 0x52bfff entry_point = 0x4d0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4648 start_va = 0x4d0000 end_va = 0x52bfff entry_point = 0x4d0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4649 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4693 start_va = 0xc70000 end_va = 0xcaffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 4694 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 4718 start_va = 0xcb0000 end_va = 0xd2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 4719 start_va = 0xd30000 end_va = 0xd6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 4720 start_va = 0xdb0000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 4721 start_va = 0xf30000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 4722 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 4723 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 4724 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 4726 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 5024 start_va = 0xe00000 end_va = 0xe3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 5025 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5026 start_va = 0x4d0000 end_va = 0x50bfff entry_point = 0x4d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5027 start_va = 0x4d0000 end_va = 0x50bfff entry_point = 0x4d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5028 start_va = 0x4d0000 end_va = 0x50bfff entry_point = 0x4d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5029 start_va = 0x4d0000 end_va = 0x50bfff entry_point = 0x4d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5030 start_va = 0x4d0000 end_va = 0x50bfff entry_point = 0x4d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5031 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5032 start_va = 0xe40000 end_va = 0x110efff entry_point = 0xe40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5047 start_va = 0x4f0000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5048 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 5049 start_va = 0x1110000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 5072 start_va = 0x70330000 end_va = 0x70396fff entry_point = 0x70330000 region_type = mapped_file name = "sppwinob.dll" filename = "\\Windows\\System32\\sppwinob.dll" (normalized: "c:\\windows\\system32\\sppwinob.dll") Region: id = 5073 start_va = 0x1210000 end_va = 0x1274fff entry_point = 0x1210000 region_type = mapped_file name = "sppwinob.dll" filename = "\\Windows\\System32\\sppwinob.dll" (normalized: "c:\\windows\\system32\\sppwinob.dll") Region: id = 5079 start_va = 0x702c0000 end_va = 0x70326fff entry_point = 0x702c0000 region_type = mapped_file name = "sppwinob.dll" filename = "\\Windows\\System32\\sppwinob.dll" (normalized: "c:\\windows\\system32\\sppwinob.dll") Region: id = 5088 start_va = 0x701c0000 end_va = 0x702b0fff entry_point = 0x701c0000 region_type = mapped_file name = "sppobjs.dll" filename = "\\Windows\\System32\\sppobjs.dll" (normalized: "c:\\windows\\system32\\sppobjs.dll") Region: id = 5090 start_va = 0x1210000 end_va = 0x12fdfff entry_point = 0x1210000 region_type = mapped_file name = "sppobjs.dll" filename = "\\Windows\\System32\\sppobjs.dll" (normalized: "c:\\windows\\system32\\sppobjs.dll") Region: id = 5092 start_va = 0x700c0000 end_va = 0x701b0fff entry_point = 0x700c0000 region_type = mapped_file name = "sppobjs.dll" filename = "\\Windows\\System32\\sppobjs.dll" (normalized: "c:\\windows\\system32\\sppobjs.dll") Region: id = 5093 start_va = 0x74ca0000 end_va = 0x74ce3fff entry_point = 0x74ca0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5094 start_va = 0x76ec0000 end_va = 0x76ef4fff entry_point = 0x76ec0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5095 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5096 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5097 start_va = 0x1210000 end_va = 0x126ffff entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 5100 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 5101 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 5102 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 5103 start_va = 0x736a0000 end_va = 0x7371cfff entry_point = 0x736a0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 5104 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 5156 start_va = 0x1270000 end_va = 0x1460fff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 5159 start_va = 0x1470000 end_va = 0x1660fff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 5160 start_va = 0x1670000 end_va = 0x1860fff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 5167 start_va = 0x1270000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 5204 start_va = 0x1500000 end_va = 0x153ffff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 5205 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 5206 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 5207 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 5208 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 5241 start_va = 0x755a0000 end_va = 0x755ccfff entry_point = 0x755a0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 5242 start_va = 0x75480000 end_va = 0x7559cfff entry_point = 0x75480000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 5243 start_va = 0x75390000 end_va = 0x7539bfff entry_point = 0x75390000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 5264 start_va = 0x1870000 end_va = 0x1a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 5270 start_va = 0x80000 end_va = 0x81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Thread: id = 474 os_tid = 0x6d4 Thread: id = 477 os_tid = 0x6e4 Thread: id = 478 os_tid = 0x6e8 Thread: id = 479 os_tid = 0x6ec Thread: id = 480 os_tid = 0x6f0 Thread: id = 520 os_tid = 0x794 Thread: id = 528 os_tid = 0x7b4 Thread: id = 536 os_tid = 0x7d4 Process: id = "37" image_name = "drvinst.exe" filename = "c:\\windows\\system32\\drvinst.exe" page_root = "0x7f1fa320" os_pid = "0x6dc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x234" cmd_line = "DrvInst.exe \"1\" \"200\" \"acpi\\genuineintel_-_x86_family_6_model_94_-_intel(r)_core(tm)_i5-7500_cpu_@_3.40ghz\\_0\" \"\" \"\" \"68a85eb53\" \"00000000\" \"00000548\" \"0000054C\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xe], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xe], "NT AUTHORITY\\Logon Session 00000000:00006913" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4650 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4651 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4652 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 4653 start_va = 0x1c0000 end_va = 0x200fff entry_point = 0x1c0000 region_type = mapped_file name = "drvinst.exe" filename = "\\Windows\\System32\\drvinst.exe" (normalized: "c:\\windows\\system32\\drvinst.exe") Region: id = 4654 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4655 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4656 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4657 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 4658 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 4662 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4663 start_va = 0x210000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4664 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4665 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4666 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4667 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 4668 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4669 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4670 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 4671 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4672 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4673 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4674 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4675 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4676 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4677 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4678 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4679 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4680 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4681 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4682 start_va = 0x749f0000 end_va = 0x749fdfff entry_point = 0x749f0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 4683 start_va = 0x3c0000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 4684 start_va = 0x3c0000 end_va = 0x487fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 4685 start_va = 0x580000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 4686 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4687 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4688 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4689 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4690 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 4691 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4692 start_va = 0x590000 end_va = 0x690fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 4712 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4713 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 4714 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0xd0000 region_type = mapped_file name = "drvinst.exe.mui" filename = "\\Windows\\System32\\en-US\\drvinst.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\drvinst.exe.mui") Region: id = 4734 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4735 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4736 start_va = 0x6a0000 end_va = 0xa92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 4760 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 4761 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 4764 start_va = 0x100000 end_va = 0x107fff entry_point = 0x100000 region_type = mapped_file name = "setupapi.ev3" filename = "\\Windows\\inf\\setupapi.ev3" (normalized: "c:\\windows\\inf\\setupapi.ev3") Region: id = 4772 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "setupapi.ev1" filename = "\\Windows\\inf\\setupapi.ev1" (normalized: "c:\\windows\\inf\\setupapi.ev1") Region: id = 4784 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 4785 start_va = 0xaa0000 end_va = 0xe04fff entry_point = 0xaa0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4786 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 4787 start_va = 0xaa0000 end_va = 0xe04fff entry_point = 0xaa0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4788 start_va = 0xaa0000 end_va = 0xe04fff entry_point = 0xaa0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4801 start_va = 0xaa0000 end_va = 0xe04fff entry_point = 0xaa0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4802 start_va = 0xaa0000 end_va = 0xd6efff entry_point = 0xaa0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4803 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4804 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4805 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4806 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4807 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4813 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4814 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4815 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4817 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4819 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4820 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4822 start_va = 0xd70000 end_va = 0x10d4fff entry_point = 0xd70000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 4824 start_va = 0x150000 end_va = 0x164fff entry_point = 0x150000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 4825 start_va = 0x290000 end_va = 0x2b2fff entry_point = 0x290000 region_type = mapped_file name = "infstrng.dat" filename = "\\Windows\\System32\\DriverStore\\infstrng.dat" (normalized: "c:\\windows\\system32\\driverstore\\infstrng.dat") Region: id = 4826 start_va = 0xd70000 end_va = 0xedefff entry_point = 0xd70000 region_type = mapped_file name = "infcache.1" filename = "\\Windows\\System32\\DriverStore\\INFCACHE.1" (normalized: "c:\\windows\\system32\\driverstore\\infcache.1") Region: id = 4916 start_va = 0x490000 end_va = 0x4b2fff entry_point = 0x490000 region_type = mapped_file name = "infstor.dat" filename = "\\Windows\\System32\\DriverStore\\infstor.dat" (normalized: "c:\\windows\\system32\\driverstore\\infstor.dat") Region: id = 4917 start_va = 0x74a00000 end_va = 0x74a14fff entry_point = 0x74a00000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 4918 start_va = 0x4c0000 end_va = 0x4d4fff entry_point = 0x4c0000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 4919 start_va = 0x4e0000 end_va = 0x502fff entry_point = 0x4e0000 region_type = mapped_file name = "infstor.dat" filename = "\\Windows\\System32\\DriverStore\\infstor.dat" (normalized: "c:\\windows\\system32\\driverstore\\infstor.dat") Region: id = 5021 start_va = 0x100000 end_va = 0x106fff entry_point = 0x100000 region_type = mapped_file name = "cpu.pnf" filename = "\\Windows\\System32\\DriverStore\\FileRepository\\cpu.inf_x86_neutral_729b871528391032\\cpu.PNF" (normalized: "c:\\windows\\system32\\driverstore\\filerepository\\cpu.inf_x86_neutral_729b871528391032\\cpu.pnf") Region: id = 5022 start_va = 0x4e0000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 5023 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 5035 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5036 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5037 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5038 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5039 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5040 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5041 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5042 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5043 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5044 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5045 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5046 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5050 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5051 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5052 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5053 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5054 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5055 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5056 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5057 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5058 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5059 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5060 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5061 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5062 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5063 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5064 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5065 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5066 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5067 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5068 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5069 start_va = 0xee0000 end_va = 0x1244fff entry_point = 0xee0000 region_type = mapped_file name = "setupapi.dev.log" filename = "\\Windows\\inf\\setupapi.dev.log" (normalized: "c:\\windows\\inf\\setupapi.dev.log") Region: id = 5071 start_va = 0x150000 end_va = 0x164fff entry_point = 0x150000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5074 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5075 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x100000 region_type = mapped_file name = "apps.inf" filename = "\\Windows\\inf\\apps.inf" (normalized: "c:\\windows\\inf\\apps.inf") Region: id = 5077 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5078 start_va = 0x100000 end_va = 0x10afff entry_point = 0x100000 region_type = mapped_file name = "defltbase.inf" filename = "\\Windows\\inf\\defltbase.inf" (normalized: "c:\\windows\\inf\\defltbase.inf") Region: id = 5080 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5081 start_va = 0x100000 end_va = 0x10afff entry_point = 0x100000 region_type = mapped_file name = "defltbase.inf" filename = "\\Windows\\inf\\defltbase.inf" (normalized: "c:\\windows\\inf\\defltbase.inf") Region: id = 5082 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5083 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "dshowext.inf" filename = "\\Windows\\inf\\dshowext.inf" (normalized: "c:\\windows\\inf\\dshowext.inf") Region: id = 5084 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5085 start_va = 0x100000 end_va = 0x109fff entry_point = 0x100000 region_type = mapped_file name = "dwup.inf" filename = "\\Windows\\inf\\dwup.inf" (normalized: "c:\\windows\\inf\\dwup.inf") Region: id = 5086 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5087 start_va = 0x290000 end_va = 0x2a3fff entry_point = 0x290000 region_type = mapped_file name = "errata.inf" filename = "\\Windows\\inf\\errata.inf" (normalized: "c:\\windows\\inf\\errata.inf") Region: id = 5089 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5091 start_va = 0x490000 end_va = 0x4cefff entry_point = 0x490000 region_type = mapped_file name = "fontsetup.inf" filename = "\\Windows\\inf\\fontsetup.inf" (normalized: "c:\\windows\\inf\\fontsetup.inf") Region: id = 5168 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5169 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "lltdio.inf" filename = "\\Windows\\inf\\lltdio.inf" (normalized: "c:\\windows\\inf\\lltdio.inf") Region: id = 5170 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5171 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "ndiscap.inf" filename = "\\Windows\\inf\\ndiscap.inf" (normalized: "c:\\windows\\inf\\ndiscap.inf") Region: id = 5172 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5173 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "ndisuio.inf" filename = "\\Windows\\inf\\ndisuio.inf" (normalized: "c:\\windows\\inf\\ndisuio.inf") Region: id = 5187 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5188 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "netavpna.inf" filename = "\\Windows\\inf\\netavpna.inf" (normalized: "c:\\windows\\inf\\netavpna.inf") Region: id = 5190 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5191 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "netavpnt.inf" filename = "\\Windows\\inf\\netavpnt.inf" (normalized: "c:\\windows\\inf\\netavpnt.inf") Region: id = 5202 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5203 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "netbrdgm.inf" filename = "\\Windows\\inf\\netbrdgm.inf" (normalized: "c:\\windows\\inf\\netbrdgm.inf") Region: id = 5226 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5227 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "netbrdgs.inf" filename = "\\Windows\\inf\\netbrdgs.inf" (normalized: "c:\\windows\\inf\\netbrdgs.inf") Region: id = 5240 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5246 start_va = 0x100000 end_va = 0x102fff entry_point = 0x100000 region_type = mapped_file name = "netip6.inf" filename = "\\Windows\\inf\\netip6.inf" (normalized: "c:\\windows\\inf\\netip6.inf") Region: id = 5251 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5252 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "netmscli.inf" filename = "\\Windows\\inf\\netmscli.inf" (normalized: "c:\\windows\\inf\\netmscli.inf") Region: id = 5253 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5254 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "netnb.inf" filename = "\\Windows\\inf\\netnb.inf" (normalized: "c:\\windows\\inf\\netnb.inf") Region: id = 5255 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5257 start_va = 0x100000 end_va = 0x108fff entry_point = 0x100000 region_type = mapped_file name = "netnwifi.inf" filename = "\\Windows\\inf\\netnwifi.inf" (normalized: "c:\\windows\\inf\\netnwifi.inf") Region: id = 5258 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5259 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "netpacer.inf" filename = "\\Windows\\inf\\netpacer.inf" (normalized: "c:\\windows\\inf\\netpacer.inf") Region: id = 5260 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5261 start_va = 0x100000 end_va = 0x102fff entry_point = 0x100000 region_type = mapped_file name = "netpgm.inf" filename = "\\Windows\\inf\\netpgm.inf" (normalized: "c:\\windows\\inf\\netpgm.inf") Region: id = 5262 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5263 start_va = 0x100000 end_va = 0x107fff entry_point = 0x100000 region_type = mapped_file name = "netrasa.inf" filename = "\\Windows\\inf\\netrasa.inf" (normalized: "c:\\windows\\inf\\netrasa.inf") Region: id = 5265 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5266 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "netrass.inf" filename = "\\Windows\\inf\\netrass.inf" (normalized: "c:\\windows\\inf\\netrass.inf") Region: id = 5267 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5268 start_va = 0x100000 end_va = 0x103fff entry_point = 0x100000 region_type = mapped_file name = "netrast.inf" filename = "\\Windows\\inf\\netrast.inf" (normalized: "c:\\windows\\inf\\netrast.inf") Region: id = 5271 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5272 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "netserv.inf" filename = "\\Windows\\inf\\netserv.inf" (normalized: "c:\\windows\\inf\\netserv.inf") Region: id = 5275 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5276 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "netsstpa.inf" filename = "\\Windows\\inf\\netsstpa.inf" (normalized: "c:\\windows\\inf\\netsstpa.inf") Region: id = 5277 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5278 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "netsstpt.inf" filename = "\\Windows\\inf\\netsstpt.inf" (normalized: "c:\\windows\\inf\\netsstpt.inf") Region: id = 5279 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5280 start_va = 0x100000 end_va = 0x109fff entry_point = 0x100000 region_type = mapped_file name = "nettcpip.inf" filename = "\\Windows\\inf\\nettcpip.inf" (normalized: "c:\\windows\\inf\\nettcpip.inf") Region: id = 5285 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5290 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "netvwififlt.inf" filename = "\\Windows\\inf\\netvwififlt.inf" (normalized: "c:\\windows\\inf\\netvwififlt.inf") Region: id = 5291 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5292 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "netvwifimp.inf" filename = "\\Windows\\inf\\netvwifimp.inf" (normalized: "c:\\windows\\inf\\netvwifimp.inf") Region: id = 5295 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5307 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "printupg.inf" filename = "\\Windows\\inf\\printupg.inf" (normalized: "c:\\windows\\inf\\printupg.inf") Region: id = 5348 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5349 start_va = 0x100000 end_va = 0x102fff entry_point = 0x100000 region_type = mapped_file name = "puwk.inf" filename = "\\Windows\\inf\\puwk.inf" (normalized: "c:\\windows\\inf\\puwk.inf") Region: id = 5353 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5354 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "rspndr.inf" filename = "\\Windows\\inf\\rspndr.inf" (normalized: "c:\\windows\\inf\\rspndr.inf") Region: id = 5355 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5356 start_va = 0x100000 end_va = 0x103fff entry_point = 0x100000 region_type = mapped_file name = "sceregvl.inf" filename = "\\Windows\\inf\\sceregvl.inf" (normalized: "c:\\windows\\inf\\sceregvl.inf") Region: id = 5358 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5359 start_va = 0x100000 end_va = 0x102fff entry_point = 0x100000 region_type = mapped_file name = "secrecs.inf" filename = "\\Windows\\inf\\secrecs.inf" (normalized: "c:\\windows\\inf\\secrecs.inf") Region: id = 5360 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x290000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\System32\\DriverStore\\infpub.dat" (normalized: "c:\\windows\\system32\\driverstore\\infpub.dat") Region: id = 5363 start_va = 0x100000 end_va = 0x101fff entry_point = 0x100000 region_type = mapped_file name = "wfplwf.inf" filename = "\\Windows\\inf\\wfplwf.inf" (normalized: "c:\\windows\\inf\\wfplwf.inf") Thread: id = 476 os_tid = 0x6e0 Thread: id = 487 os_tid = 0x714 Thread: id = 496 os_tid = 0x738 Thread: id = 510 os_tid = 0x76c Process: id = "38" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x7f1fa340" os_pid = "0x700" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x1a8" cmd_line = "taskhost.exe SYSTEM" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 4698 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4699 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4700 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 4701 start_va = 0xfa0000 end_va = 0xfaefff entry_point = 0xfa0000 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 4702 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4703 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4704 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4705 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 4706 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 4889 start_va = 0x190000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 4890 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4891 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4892 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4893 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 4894 start_va = 0x40000 end_va = 0xa6fff entry_point = 0x40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4895 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4896 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4897 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4898 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4899 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4900 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4901 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4902 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4903 start_va = 0x390000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 4904 start_va = 0xb0000 end_va = 0xccfff entry_point = 0xb0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4905 start_va = 0x190000 end_va = 0x257fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4906 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4907 start_va = 0xb0000 end_va = 0xccfff entry_point = 0xb0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4908 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4909 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4974 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 4975 start_va = 0x390000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 4976 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 4977 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4978 start_va = 0x130000 end_va = 0x131fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 4979 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 4980 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 4981 start_va = 0x4e0000 end_va = 0x8d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 4982 start_va = 0x8e0000 end_va = 0x93bfff entry_point = 0x8e0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4983 start_va = 0x8e0000 end_va = 0x93bfff entry_point = 0x8e0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4984 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4985 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4986 start_va = 0x900000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 4987 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 4988 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4989 start_va = 0x9c0000 end_va = 0x9fffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 4990 start_va = 0xb30000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 4991 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 4992 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 4993 start_va = 0xb70000 end_va = 0xd8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 4999 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 5000 start_va = 0xa70000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 5001 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 5002 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 5003 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 5004 start_va = 0x703a0000 end_va = 0x703aafff entry_point = 0x703a0000 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 5005 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5006 start_va = 0x736a0000 end_va = 0x7371cfff entry_point = 0x736a0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 5007 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 5174 start_va = 0x70870000 end_va = 0x708c9fff entry_point = 0x70870000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 5175 start_va = 0x77310000 end_va = 0x77315fff entry_point = 0x77310000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5176 start_va = 0x73750000 end_va = 0x7375ffff entry_point = 0x73750000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 5177 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 5178 start_va = 0x74e20000 end_va = 0x74e35fff entry_point = 0x74e20000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5179 start_va = 0x940000 end_va = 0x97bfff entry_point = 0x940000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5180 start_va = 0x940000 end_va = 0x97bfff entry_point = 0x940000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5181 start_va = 0x940000 end_va = 0x97bfff entry_point = 0x940000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5182 start_va = 0x940000 end_va = 0x97bfff entry_point = 0x940000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5183 start_va = 0x940000 end_va = 0x97bfff entry_point = 0x940000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5184 start_va = 0x74bc0000 end_va = 0x74bfafff entry_point = 0x74bc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5185 start_va = 0xfb0000 end_va = 0x127efff entry_point = 0xfb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5186 start_va = 0x75310000 end_va = 0x7531dfff entry_point = 0x75310000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Thread: id = 505 os_tid = 0x704 Thread: id = 521 os_tid = 0x798 Thread: id = 522 os_tid = 0x79c Thread: id = 524 os_tid = 0x7a0 Thread: id = 525 os_tid = 0x7a4 Process: id = "39" image_name = "userinit.exe" filename = "c:\\windows\\system32\\userinit.exe" page_root = "0x7f1fa260" os_pid = "0x7f8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0x17c" cmd_line = "C:\\Windows\\system32\\userinit.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000da77" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5296 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5297 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5298 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 5299 start_va = 0x610000 end_va = 0x618fff entry_point = 0x610000 region_type = mapped_file name = "userinit.exe" filename = "\\Windows\\System32\\userinit.exe" (normalized: "c:\\windows\\system32\\userinit.exe") Region: id = 5300 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5301 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5302 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5303 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 5304 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 5306 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5308 start_va = 0x250000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 5309 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5310 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5311 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5312 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 5313 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5314 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5315 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5316 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5317 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5318 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5319 start_va = 0x749d0000 end_va = 0x749e6fff entry_point = 0x749d0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 5320 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5321 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5322 start_va = 0xc0000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 5323 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5324 start_va = 0x170000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 5325 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 5326 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 5327 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5328 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5329 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5330 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 5331 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 5339 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5340 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 5341 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 5342 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 5343 start_va = 0x1220000 end_va = 0x1612fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 5344 start_va = 0x74150000 end_va = 0x7418ffff entry_point = 0x74150000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 5345 start_va = 0x550000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 5346 start_va = 0x1620000 end_va = 0x16fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001620000" filename = "" Region: id = 5347 start_va = 0x73e20000 end_va = 0x73e32fff entry_point = 0x73e20000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 5361 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 5362 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Thread: id = 543 os_tid = 0x7fc Process: id = "40" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x7f1fa180" os_pid = "0x64" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "39" os_parent_pid = "0x7f8" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "CRH2YWU7\\EEBsYm5" os_groups = "CRH2YWU7\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000da77" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5364 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5365 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5366 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5367 start_va = 0xa30000 end_va = 0xcb0fff entry_point = 0xa30000 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 5368 start_va = 0x771d0000 end_va = 0x7730bfff entry_point = 0x771d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5369 start_va = 0x77410000 end_va = 0x77410fff entry_point = 0x77410000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5370 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5371 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 5372 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 5375 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5376 start_va = 0x1d0000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5377 start_va = 0x76990000 end_va = 0x76a63fff entry_point = 0x76990000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5378 start_va = 0x753a0000 end_va = 0x753e9fff entry_point = 0x753a0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5379 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5380 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 5381 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5382 start_va = 0x77130000 end_va = 0x771cffff entry_point = 0x77130000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5383 start_va = 0x76e10000 end_va = 0x76ebbfff entry_point = 0x76e10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5384 start_va = 0x76540000 end_va = 0x76558fff entry_point = 0x76540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5385 start_va = 0x76640000 end_va = 0x766e0fff entry_point = 0x76640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5386 start_va = 0x77320000 end_va = 0x7736dfff entry_point = 0x77320000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5387 start_va = 0x766f0000 end_va = 0x767b8fff entry_point = 0x766f0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5388 start_va = 0x765d0000 end_va = 0x765d9fff entry_point = 0x765d0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5389 start_va = 0x76cd0000 end_va = 0x76d6cfff entry_point = 0x76cd0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5390 start_va = 0x765e0000 end_va = 0x76636fff entry_point = 0x765e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5391 start_va = 0x758f0000 end_va = 0x76539fff entry_point = 0x758f0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5392 start_va = 0x76a70000 end_va = 0x76bcbfff entry_point = 0x76a70000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5393 start_va = 0x767c0000 end_va = 0x7684efff entry_point = 0x767c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5394 start_va = 0x73fe0000 end_va = 0x7414efff entry_point = 0x73fe0000 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 5395 start_va = 0x74530000 end_va = 0x7455efff entry_point = 0x74530000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 5396 start_va = 0x74470000 end_va = 0x74521fff entry_point = 0x74470000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 5397 start_va = 0x20000 end_va = 0x21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5398 start_va = 0x76df0000 end_va = 0x76e0efff entry_point = 0x76df0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5399 start_va = 0x75820000 end_va = 0x758ebfff entry_point = 0x75820000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5400 start_va = 0x74150000 end_va = 0x7418ffff entry_point = 0x74150000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 5401 start_va = 0x738f0000 end_va = 0x73914fff entry_point = 0x738f0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 5402 start_va = 0x76f90000 end_va = 0x7712cfff entry_point = 0x76f90000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 5403 start_va = 0x755f0000 end_va = 0x75616fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 5404 start_va = 0x755d0000 end_va = 0x755e1fff entry_point = 0x755d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 5405 start_va = 0x73e20000 end_va = 0x73e32fff entry_point = 0x73e20000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 5406 start_va = 0x73610000 end_va = 0x73619fff entry_point = 0x73610000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 5407 start_va = 0x73420000 end_va = 0x735affff entry_point = 0x73420000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 5408 start_va = 0x75210000 end_va = 0x75217fff entry_point = 0x75210000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 5409 start_va = 0x75250000 end_va = 0x7526afff entry_point = 0x75250000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 5410 start_va = 0x74190000 end_va = 0x74284fff entry_point = 0x74190000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 5411 start_va = 0x390000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 5412 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 5413 start_va = 0x1d0000 end_va = 0x1d6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5414 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 5415 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 5416 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5417 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5418 start_va = 0x390000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 5419 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 5420 start_va = 0x540000 end_va = 0x932fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 5421 start_va = 0xcc0000 end_va = 0x18bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 5422 start_va = 0x210000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 5423 start_va = 0x18c0000 end_va = 0x1a9ffff entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 5424 start_va = 0x18c0000 end_va = 0x19bffff entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 5425 start_va = 0x1a60000 end_va = 0x1a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a60000" filename = "" Region: id = 5426 start_va = 0x4f0000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5427 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 5428 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 5429 start_va = 0x940000 end_va = 0xa1efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 5430 start_va = 0x75270000 end_va = 0x75298fff entry_point = 0x75270000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 5431 start_va = 0x1aa0000 end_va = 0x1d6efff entry_point = 0x1aa0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5432 start_va = 0x19c0000 end_va = 0x1a1bfff entry_point = 0x19c0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 5433 start_va = 0x19c0000 end_va = 0x1a1bfff entry_point = 0x19c0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 5434 start_va = 0x752a0000 end_va = 0x752abfff entry_point = 0x752a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 5437 start_va = 0x240000 end_va = 0x241fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 5438 start_va = 0x742d0000 end_va = 0x7446dfff entry_point = 0x742d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 5439 start_va = 0x250000 end_va = 0x250fff entry_point = 0x250000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 5440 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 5441 start_va = 0x4a0000 end_va = 0x4c3fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 5442 start_va = 0x73cf0000 end_va = 0x73deafff entry_point = 0x73cf0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 5443 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 5444 start_va = 0x270000 end_va = 0x278fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 5445 start_va = 0x280000 end_va = 0x288fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 5446 start_va = 0x19c0000 end_va = 0x19e3fff entry_point = 0x0 region_type = private name = "private_0x00000000019c0000" filename = "" Region: id = 5447 start_va = 0x1d70000 end_va = 0x1e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 5448 start_va = 0x75320000 end_va = 0x7532afff entry_point = 0x75320000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5450 start_va = 0x4a0000 end_va = 0x4a8fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 5451 start_va = 0x4b0000 end_va = 0x4d3fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 5452 start_va = 0x19f0000 end_va = 0x1a13fff entry_point = 0x0 region_type = private name = "private_0x00000000019f0000" filename = "" Region: id = 5453 start_va = 0x706a0000 end_va = 0x706ebfff entry_point = 0x706a0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 5454 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 5455 start_va = 0x76f00000 end_va = 0x76f82fff entry_point = 0x76f00000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 5456 start_va = 0x4e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 5457 start_va = 0x73f60000 end_va = 0x73f90fff entry_point = 0x73f60000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 5458 start_va = 0x73010000 end_va = 0x7341afff entry_point = 0x73010000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~1\\MICROS~1\\Office14\\GROOVEEX.DLL" (normalized: "c:\\progra~1\\micros~1\\office14\\grooveex.dll") Region: id = 5460 start_va = 0xa20000 end_va = 0xa22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 5461 start_va = 0x73eb0000 end_va = 0x73f52fff entry_point = 0x73eb0000 region_type = mapped_file name = "msvcr90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcr90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcr90.dll") Region: id = 5462 start_va = 0x73c40000 end_va = 0x73ccdfff entry_point = 0x73c40000 region_type = mapped_file name = "msvcp90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcp90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\\msvcp90.dll") Region: id = 5463 start_va = 0x73e80000 end_va = 0x73eaafff entry_point = 0x73e80000 region_type = mapped_file name = "atl90.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\\ATL90.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\\atl90.dll") Region: id = 5464 start_va = 0x1e70000 end_va = 0x1ecffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5465 start_va = 0x1ed0000 end_va = 0x1f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 5466 start_va = 0x19c0000 end_va = 0x19c3fff entry_point = 0x0 region_type = private name = "private_0x00000000019c0000" filename = "" Region: id = 5467 start_va = 0x19d0000 end_va = 0x19e7fff entry_point = 0x0 region_type = private name = "private_0x00000000019d0000" filename = "" Region: id = 5468 start_va = 0x1a20000 end_va = 0x1a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 5469 start_va = 0x1a30000 end_va = 0x1a30fff entry_point = 0x0 region_type = private name = "private_0x0000000001a30000" filename = "" Region: id = 5470 start_va = 0x1a40000 end_va = 0x1a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 5471 start_va = 0x1a50000 end_va = 0x1a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 5472 start_va = 0x1e70000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 5473 start_va = 0x1ec0000 end_va = 0x1ecffff entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 5474 start_va = 0x1e80000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 5475 start_va = 0x1e90000 end_va = 0x1e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 5476 start_va = 0x1ea0000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 5477 start_va = 0x1ea0000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Thread: id = 544 os_tid = 0xcc Thread: id = 545 os_tid = 0x100